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1 INTRODUCTION 


This edition of the OneOS Book corresponds to the OneOS V4.2 software release. 


The OneOS V4.2 software developed for use with the ONE product range offers an extensive range of 
features designed to provide a complete & highly powerful range of multi-service access routers: 


e Full IP router with NAPT, Security, and Quality of Service management 

e Support of voice for analog and ISDN SO/TO terminals using Voice over IP and Voice over ATM 
e —_Interworking of data protocols (FR, X.25, PAD, XOT, X.31) 

e Advanced management tools based on CLI (Command Line Interface), SNMP, FTP/TFTP 
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FEATURE MATRIX 


The following table is a resource providing edition by edition the released features. The table was done as 
of the release V3.5R2E3. For simplification, the indicated software release shows the presence of a 
feature in a given software release. It should be noted that most features were available in earlier versions. 
















































































Main Function | Feature Present at least in: 
File system Checking downloaded SW and boot integrity V3.5R2E3 
Dual SW image boot V3.5R2E3 
File transfer via FTP client V3.5R2E3 
File transfer via TFTP client V3.5R2E3 
TFTP server for file uploading V4.1R5E6 
Download and extract a TAR archive in file system V3.7R11E14 
General Command output filtering with the ‘|’ command V3.5R2E3 
management | Command for checking integrity of a downloaded boot or V3.5R2E3 
functions software image 
Password recovery V3.5R2E3 
Delayed reboot V3.5R2E3 
Restore factory settings command V3.5R2E3 
Banner (before/after logging in) V3.5R2E3 
Global statistics screen V3.5R2E3 
CPU load statistics V4.2R5E6 
show ip interface brief command V3.5R2E3 
Logging to a syslog server V3.5R2E3 
Blacklist management (console, tshell, telnet, SSH, web) V4.2R5E2 
Date/Time Manual date/time setting V3.5R2E3 
Clock offset based on time zone and summer time V3.5R2E3 
Synchronization with an NTP server (broadcast mode or V3.5R2E3 
not) 
Setting of SNTP source address (in non-broadcast mode) V3.5R2E3 
SNTP server V4.2R3E6 
Configuration | Check SIP gateway registration to trigger configuration V3.7R10E3 
Recovery recovery 
Check ping status to trigger configuration recovery V3.7R10E3 
SNMP Version 1, version 2C V3.5R2E3 
Multiple read-write communities V3.5R2E3 
Restricting SNMP access via access-lists V3.5R2E3 
Setting of SNMP source address V3.5R2E3 
SNMP v3: DES/3DES/no encryption, SHA1MD5 V3.5R2E3 
authentication 
SNMP views V3.5R2E3 
SNMP informs (acknowledged traps in SNMP v3) V3.5R2E3 
Private MIBs: System (Hardware description MIB, CPU, V3.5R2E3 
memory, ...), NAT, access-lists, I|Psec (traps only), voice 
MIB, SLA reporting MIB, private IP QoS MIB 



































Page 1.1-4 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 





























































































































| Supported standard MIBS: RFC 3289 (DiffServ), INET | V3.5R2E3 
Address MIB RFC 3291, Integrated Services (RFC 2213), 
FR RFC 1315, PPP: RFC 1471, 1472, 1473, 1474, IP RFC 
2011, 2233, 2851, IPoA: RFC 2320, ATM MIB RFC 2514, 
2515, Remote ping RFC 2925, SNMP admin: RFC 3411, 
view-based access control: RFC2575, BGP: RFC1269, 
OSPF: RFC1850, VRRP (traps only): RFC2787, RFC 2265 
(partial) 
Configuration of SNMP chassis-id, contact and location V3.5R2E3 
Traces and Event function (logging of state changes) to a syslog server, V3.5R2E3 
logging SNMP traps, console/file logging 
Logging of configuration history V3.5R2E3 
Trace and debug function (logs: buffered, syslog, console, V3.5R2E3 
file) 
Ping/traceroute | Ping with source address setting V3.5R2E3 
Extended ping V3.5R2E3 
Traceroute with source address setting V3.5R2E3 
Telnet Telnet client. Configurable port and source address V3.5R2E3 
Clear session of another user V3.5R2E3 
Setting up an access-list to restrict access to the embedded V3.5R2E3 
server 
Telnet server: configurable timeout, attachment to one or V3.5R2E3 
more interface and telnet server access restriction by an 
ACL 
SSH SSH server version 2 V3.5R2E3 
Configurable DSA signature length V3.5R2E3 
Enabling/disabling the SSH server V3.5R2E3 
Attaching the SSH server to one or more interfaces V3.5R2E3 
Attaching the SSH server to an ACL for access restriction V3.5R2E3 
Remote "exec telnet" command V4.2R5E15 
Web Configurator) HTTP server V3.5R2E3 
HTTPS server V4.2R2E2 
HTTP proxy V4.2R3E6 
HTTPS certificate management V4.2R4E2 
Packet capturing | Filter and log packets of an interface V3.5R2E3 
Saved captured packets in a pcap file V3.5R2E3 
Capture of 802.11 frames V4.2R3E6 
AAA, Local user | Configuration of local users V3.5R2E3 
database and | Support of 15 privilege levels V3.5R4E3 
tole-Based Modification of default command privilege level (‘privilege’ V3.5R2E3 
commana) 
RADIUS based user authentication V3.5R2E3 
TACACS+ based user authentication V3.5R2E3 
Command authorization via TACACS+ servers V3.5R2E3 
TACACS+ accounting (start-stop signal for commands, V3.5R4E3 
stop-only signal for exec session) 
Certificates Show certificates V4.2R5E2 
Public Key Infrastructure (PKI) V4.2R5E6 
Self-signed HTTPS server certificate V4.2R5E6 
Certificate signing request V4.2R5E6 
Certificate import V4.2R5E6 
Performance | ICMP echo probe: measuring RTT and packet loss V3.5R2E3 
Measurement | |CMP echo configuration via CLI or SNMP V3.5R2E3 
gies Path echo probe (configuration by CLI and SNMP) V3.5R2E3 
Path jitter probe (configuration by CLI) V3.5R2E3 
RTR responder V3.5R2E3 
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| History of the last measurements V3.5R2E3 
Measurement result distribution to form statistics V3.5R2E3 
Reaction triggers V3.5R2E3 
LAN Interface | Setting up of secondary IP addresses V3.5R2E3 
‘no keepalive' command V3.5R2E3 
VLAN 802.1q sub-interfaces on any Fast Ethernet port V3.5R2E3 
Disabling negotiation, full/nalf duplex forcing, speed forcing V3.5R2E3 
WLAN Multiple SSID support (4) V3.6R4E5 
Disabling SSID broadcast (guest-mode) V3.6R4E5 
Authentication: open, shared, WPA, WPA-PSK V3.6R4E5 
Filtering of MAC addresses V3.6R4E5 
Authentication via MAC addresses V3.6R4E5 
Layer-2 bridging between LAN and WLAN V3.6R4E5 
Additional debug: probe, beacon, assoc. + error levels V3.6R7E3 
Access Point Controller (extend coverage) V4.2R5E6 
WAN Interfaces | G.SHDSL 2 wires/4 wires V3.5R2E3 
G.SHDSL 2/4 wires auto-sensing V3.5R4E3 
G.SHDSL.bis for devices with ATM and EFM V3.7R11 
SDSL 2B1Q (fixed rate) V3.5R2E3 
STM-1 V3.5R2E3 
IMA E1 V3.5R2E3 
IMA SHDSL V3.6R8E22 (ONE300) 
ADSL V3.5R2E3 
Alternate ADSL FW loading V4.2R5E2 
E1/T1 ATM V3.5R2E3 
Serial E1/T1 (G.703 or G.704) and serial Vxx (PPP, MLPPP, V3.5R2E3 
FR) 
Single ISDN SO (ONE30/60/200): PPP, MLPPP V3.5R2E3 
NxS0 on the ONE200 and ONE400: PPP, MLPPP V3.5R2E3 
Single PRI on the ONE200 (fractional support) / ONE400 V3.5R2E3 
(full support): PPP, MLPPP 
PRI framing auto detection V4.2R4E2 
Analog PSTN modem (ONE30/60/200) V3.5R2E3 
Analog PSTN modem (ONE100) V3.6R5E3 
GPRS EDGE modem (ONECell25) V3.6R10E18 
UMTS modem (ONECell35) V3.7R13E6 
UMTS module firmware download V4.2R5E15 
ATM IPoA: LLC or Mux encapsulation V3.5R2E3 
PPPoA: unnumbered IP, PAP/CHAP authentication V3.5R2E3 
(optional 2-way authentication), encrypted password, 
LLC/Mux encapsulation 
MLPPPoA: single PVC support, fragmentation and V3.5R2E3 
interleaving 
PPPoEoA V3.5R2E3 
Multiplexed IPoE, PPPoE and IPoE V3.5R2E3 
ATM CoS: UBR, VBR, CBR V3.5R2E3 
Multi VLAN in an ATM (generic) PVC V4.2R2E2 
ATM OAM Automatic or manual F5 loopback V3.5R2E3 
Configuration of continuity check cell V3.5R2E3 
AIS/RDI management V3.5R2E3 
EFM EFM configuration V3.7R11 
PPP Unnumbered IP V3.5R2E3 
PAP/CHAP authentication, calling/called/two-authentication V3.5R2E3 
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| PPP keep alive configuration V3.5R2E3 
Scheduled reconnection V3.5R2E3 
Random timer for PPP re-establishment V3.5R2E3 
Password encryption V3.5R2E3 
Static and dynamic IP V3.5R2E3 
Link fragmentation and interleaving (LF) V3.5R2E3 
IPCP sub-net mask V4.2R4E2 
Frame Relay | LMI: NUI, UNI interface types; Q.933 and ANSI mode V3.5R2E3 
Frame relay traffic shaping: 4 priority levels, FRF.12 V3.5R2E3 
fragmentation and interleaving 
One IP address per DLCI (no point-to-multipoint topology) V3.5R2E3 
ISDN interface | PPP and MLPPP (one single MLPPP bundle is allowed) V3.5R2E3 
Dialing types: dial-in, dial-out, both V3.5R2E3 
Dial-on-demand and permanent dial-out V3.5R2E3 
ISDN signaling decoding V3.5R2E3 
ISDN test calls V3.5R2E3 
ISDN call-back V3.5R2E3 
Authentication of the caller's number (no check or check a V3.5R2E3 
list of configured calling numbers) 
Dial-out: main dialed number and backup ISDN numbers V3.5R2E3 
BACP protocol (Bandwidth allocation Control Protocol) V3.5R2E3 
Bandwidth on demand (open B-channels when needed) V3.5R2E3 
Dialer group _| Activity monitoring of switched interfaces (to close the dial- V3.5R2E3 
out interface in case of inactivity) 
Applicable to ISDN and PSTN interfaces V3.5R2E3 
Dialer watch-list | Open an interface when monitoring missing routes V3.5R2E3 
Applicable to ISDN V3.5R2E3 
Router Via ISDN interface V3.5R2E3 
authentication | via PSTN V3.5R2E3 
Interworking | FRF.5 (Vxx serial interface of the ONE60/200) V3.5R2E3 
functions FRF.8 (Vxx serial interface of the ONE60/200) V3.5R2E3 
XOT (ONE30, Vxx serial interface of the ONE60/200, V.28 V3.5R2E3 
daughter board of the ONE60/200) 
PAD over XOT (ONE30 V.28, V.28 daughter board of the V3.5R2E3 
ONE60/200) 
X.25 over ISDN D channel (X.31) V4.2R5E6 
X.25 call routing V3.5R2E3 
X.25 address translation, support of CUG V3.5R2E3 
X.25: configuration of source address V3.5R2E3 
DNS-based XOT destination resolution V3.5R2E3 
General IP Routing on VLSM and CIDR V3.5R2E3 
Functions IP fast forwarding and route caching V3.5R2E3 
Support of multiple IP addresses per interface V3.5R2E3 
Unnumbered interfaces V3.5R2E3 
Loopback interfaces, Null interface V3.5R2E3 
Static routing, setting of route administrative distance (static V3.5R2E3 
floating routes) 
Equal cost multi-path routing (flow-based load sharing per V3.5R2E3 
destination) 
Equal cost multi-path routing (flow-based load sharing per V4.2R5E6 
packet) 
Support of DNS, domain name and hostname V3.5R2E3 
ICMP redirect V3.5R2E3 
Sending ICMP unreachables V3.5R2E3 
Static ARP entries V3.5R2E3 
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| TCP MSS (Maximum Segment Size) Clamping on any V3.5R2E3 
interface 
Support of IP helper addresses V3.5R2E3 
IP Tunnels Unnumbered tunnel IP V3.5R2E3 
GRE: tunnel key, checksum, datagram sequencing, path V3.5R2E3 
MTU discovery 
GRE keep alive V3.5R2E3 
IP Security Software encryption algorithm: AES, DES, 3DES V3.5R2E3 
(IPsec) Software authentication algorithm: SHA, MD5 V3.5R2E3 
Hardware encryption algorithm (ONE60 only, on compatible V3.5R2E3 
hardware): DES, 3DES 
Hardware authentication algorithm (ONE60 only, on V3.5R2E3 
compatible hardware): SHA 
Perfect forward secrecy (PFS) V3.5R2E3 
Manual IPsec crypto map V3.5R2E3 
Internet Key Exchange (IKE) V3.5R2E3 
IKE with X.509 certificates V4.2R5E6 
Compression (IP comp algorithm) V3.5R2E3 
Configuration of SA lifetime V3.5R2E3 
Dynamic crypto maps V3.5R2E3 
Applying a crypto map directly on an output interface V3.5R2E3 
Applying a crypto map on a GRE tunnel V3.5R2E3 
Tunnel keep alive V3.5R2E3 
NAT traversal V3.5R3E1 
EZVPN client: Xauth IKE authentication V3.7R13E6 
L2TP LNS server V3.5R2E3 
PPP authentication with a RADIUS server V3.5R2E3 
L2Tunnel interface LAC client V3.6R4E5 
Accounting ON-OFF when LAC tunnel is setup V3.6R4E5 
VLAN 802.1q tagging V3.5R2E3 
802.1ad Q-in-Q tagging V4.2R5E6 
Multiple VLAN per port (layer-2 switching not allowed) V3.5R2E3 
Single VLAN per port (layer-2 switching permitted) V3.5R2E3 
Removing 802.1q tag (native VLAN encapsulation) V3.5R2E3 
ATM-AAL5 supporting VLAN V4.2R2E4 
PPPoE over VLAN V4.2R5E6 
Bridging Bridge Virtual Interface (BVI) V3.5R2E3 
BVI attachment to a PVC (frames are emitted with the V3.5R2E3 
IPoEoA encapsulation, LLC mode) 
Integrated Routing and Bridging (IRB): Multiplexing BVI and V3.5R2E3 
IPoA flows over a PVC 
Integrated Routing and Bridging (IRB): Multiplexing BVI and V3.5R2E3 
PPPoEOA flows over a PVC 
Priority Queuing of priority tagged frame V3.5R2E3 
IP Accounting | Per-flow accounting (source/destination IP) V3.5R3E1 
Accounting of ACL violations V3.5R3E1 
Accounting for IP filtered by an ACL V3.5R3E1 
DSCP-based accounting V3.5R3E1 
Access Control | Standard ACL V3.5R2E3 
List(ACL) | Extended ACL V3.5R2E3 
Reflexive filters (diode-effect rule) V3.5R2E3 
Context-Based Access Control (or Stateful Inspection) V3.5R2E3 
Reverse Path Forwarding Check (RPF) V3.5R2E3 
Configuration of ICMP unreachables V3.5R2E3 
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| Monitoring of fragments V3.5R2E3 
Rule-based logging V3.5R2E3 
Session auditing V3.5R2E3 
Rule sequencing and re-sequencing V3.5R2E3 
Limiting on half-open and open sessions V3.5R2E3 
Per-source-host session limiting and half-open session V3.5R2E3 
limiting, thresholds are configurable globally and per host 
Network Address| Static NAT/NAPT V3.5R2E3 
Translator (NAT) | Dynamic NAT/NAPT V3.5R2E3 
NAT/NAPT overload on a pool address V3.5R2E3 
Two-way NAT V3.5R2E3 
TCP/UDP load balancing V3.5R2E3 
Application Level Gateways: FTP, DNS, ICMP, NBT, H.323 V3.5R2E3 
Bypass list (ACL to determine packets being not translated) V3.5R2E3 
User list (ACL to determine packets being translated), also V3.5R2E3 
called selective NAT 
NAT ALG SIP deactivation V4.2R4E2 
IP QoS Input processing: classification, marking, policing V3.5R2E3 
Output processing: classification, marking, policing, shaping, V3.5R2E3 
congestion avoidance 
Classification based on ACL, DSCP/precedence, RTP, input V3.5R2E3 
interface, combination of criteria from various class maps 
Nested policy-map (policy-map within a class of a policy- V3.5R2E3 
map) 
Policing: single rate traffic policer, two-rate traffic policer, V3.5R2E3 
color aware policer 
Policing bandwidth configured in absolute value or percent V3.5R2E3 
Shaping bandwidth configured in absolute value or percent V3.5R2E3 
of the layer-1 link bandwidth 
Shaping: CBQ, CB-WFQ, Generic Traffic Shaping (GTS) on V3.5R2E3 
any interface when a QoS policy is configured, LLQ (Low 
Latency Queuing) for high priority frames 
Sharing remaining bandwidth in CBQ/CBWFQ shaping: V3.5R2E3 
based on class weights 
Sharing remaining bandwidth in CBQ/CBWFQ shaping: V4.2R4E2 
based on class priorities 
Class-based marking and/or marking per policing V3.5R2E3 
conformance classes 
Explicit Congestion Notification V3.5R2E3 
Virtual QoS group marking and matching V3.5R2E3 
Class-based Random Early Discard (RED) and Weighted V3.5R2E3 
RED (WRED), color-aware WRED 
Layer-2 marking: ATM CLP, FR DE V3.5R2E3 
Layer-2 QoS: CIR + priority V4.2R4E2 
Policy-Based | Matching packets based on class-maps V3.5R2E3 
Routing (PBR) | Bypass routing by setting: V3.5R2E3 
- output interfaces 
- or next-hop IP address 
Support of multiple backup output interfaces/next-hop V3.5R2E3 
Local policy route map for local flow marking V3.5R2E3 
Layer-2 marking: CLP, DE V3.5R2E3 
DHCP Server | Support of multiple pool of IP addresses V3.5R2E3 
DHCP database backup on an FTP server V3.5R2E3 
Support of manual and dynamic MAC-IP binding V3.5R2E3 
Support of DHCP options V3.5R2E3 
Matching option 77 V4.2R3E6 
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| DHCP Client and | DHCP relay | V3.5R2E3 
Relay DHCP client V3.5R2E3 
Setting the vendor-id in the DHCP request field V3.5R2E3 
AZR features: ARP ping, accounting, ARP table update via V3.6R4E5 
DHCP 
DHCP client: option 60/61/77, ignoring default route V4.2R3E6 
Secure association (option 43) 
Dynamic DNS | Support of dyndns.org, No-IP and EuroDynDNS server V3.5R2E3 
server update 
(DynDNS) 
Auto-update DHCP method: Automatic software download V3.5R4E3 
DHCP method: Automatic configuration download V3.5R4E3 
Auto-update via http V3.7R11E14 
CWMP (TR-69) | Download RPC: configuration, OS, web pages V4.2R2E2 
Configuration download in add-in or overwrite mode 
Upload RPC V4.2R2E2 
Inform trigger events: periodic, boot, bootstrap, request V4.2R2E2 
download 
Reboot RPC V4.2R2E2 
Factory Reset RPC V4.2R2E2 
Get RPC Methods RPC V4.2R2E2 
Schedule Inform RPC V4.2R2E2 
TR-69 Pass-Through (TR-111) V4.2R5E2 
STUN client configuration V4.2R5E2 
DNS Proxy Support of multiple DNS servers V3.5R2E3 
DNS Servers learnt priority V4.2R5E6 
DNS cache V3.5R2E3 
VRRP Support of multiple VRRP instances V3.5R2E3 
Priority handling and pre-emption of master role V3.5R2E3 
Support of authentication V3.5R2E3 
Support of a monitoring interface where VRRP V3.5R2E3 
advertisements are sent 
Support of a tracking interface (if the interface is down, the V3.5R2E3 
virtual router priority is decreased) 
Tracking list (if some routes are down, the virtual router V3.5R2E3 
priority is decreased) 
Optional SNMP traps V3.5R2E3 
IRDP ICMP Router Discovery Protocol (as router) V3.5R2E3 
Server Load Weighted load balancing on a server farm V3.5R2E3 
Balancing Monitoring of active servers and quarantine servers not V3.5R2E3 
responding 
Routing Support of V1 and V2 on any interfaces V3.5R2E3 
Information —_| Configuration of RIP version on a per-interface basis V3.5R2E3 
Protocol (RIP) ase 
Authentication support V3.5R2E3 
Redistribution of static, connected, OSPF and BGP routes V3.5R2E3 
Filtering redistributed routes based on route maps V3.5R2E3 
Route map feature: match using ACL and prefix-list, V3.5R2E3 
match/set tag, set metric 
Distribute-list (in/out) using standard ACL V3.5R2E3 
Configuration of administrative distance V3.5R2E3 
Border Gateway | Network advertisement with a route-map directly applied V3.5R2E3 
Protocol (BGP) | onto the advertised network 
Support both E-BGP and I-BGP V3.5R2E3 
TCP MD5 authentication V3.5R2E3 
Neighbor configuration within peer-groups V3.5R2E3 
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| Support of non-directly connected eBGP neighbors (eBGP V3.5R2E3 
multi-hop) 
Community support and update filtering with community list V3.5R2E3 
Send default route on a per neighbor basis V3.5R2E3 
Limitation of the maximum learnt prefix number from a V3.5R2E3 
neighbor 
Allow routes with two or more times the same AS in its AS V3.5R2E3 
path (allowas-in) 
Overwrite next hop by router's address (next-hop-self) V3.5R2E3 
Route-map based filtering by neighbors V3.5R2E3 
Soft connection reset V3.5R2E3 
Support of multi-path routes (load sharing) V3.5R2E3 
Redistribution of static, connected, OSPF and RIP routes V3.5R2E3 
Filtering redistributed routes based on route maps V3.5R2E3 
Route map feature: match using ACL and prefix-list, V3.5R2E3 
match/set tag, match/set community, match AS path, set 
metric 
BGP confederation V3.5R2E3 
Weight attribute V3.5R2E3 
Distribute-list V3.5R2E3 
Route summarization (or aggregation) V3.5R2E3 
Route reflector V3.5R2E3 
Dampening of flapping routes V3.5R2E3 
Open Shortest | Stub areas, NSSA, totally stubby area V3.5R2E3 
Path First —_| Virtual links V3.5R2E3 
protocol (OoEF) Authentication V3.5R2E3 
Interface cost tuning V3.5R2E3 
Administrative distance V3.5R2E3 
Route redistribution V3.5R2E3 
Multicast Routing! IGMP V1/V2/V3 V3.5R2E3 
PIM-SM V2 V3.5R2E3 
Source-specific multicast V3.5R2E3 
RP group list V3.5R2E3 
Bootstrap router support V3.5R2E3 
Static multicast routes V3.5R2E3 
Scope groups by direction V4.2R5E2 
Source interface setting for register address V3.5R2E3 
IGMP access-lists V3.5R2E3 
Switching to source tree V3.5R2E3 
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4.12.2.11 Changing the Maximum Number of SeSSIONS ............eccceeeeeeeeeeeeeeeeeteneeeeeeeeeaees 4.12-335 

4.12.2.12 Changing the Idle-Timers ..........ceeceeeseeeeneeeeneeeeeeeeaeeeeaeeseaeeseaeeseaeeseaeeseeeseeeseaes 4.12-335 
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A124. StatiSthesis. s: sices Sec cile fuiibenshegekced sllea dg decibnc eeiciag veel det jbive le deehtee uae evidenced 4.12-339 
4:12:5° “‘Debuigvand: Trace)... ccees ec cite staes va cectiy ast bes eed eu tede aa eaten es ieee eee ieee 4.12-340 

AAS: P*ACCOUNTIAG: <s.25cceccccsicessecengeceliiadccde seas be chi becedcaeseceahandiecheadaabs siadesdshuaccusesnecess Guecadhesd ptnetehepeagehis 4.13-341 
AVE, +E @AUUKOS: cass cb cncts sfeteada-sudecns iScaesezea¥antesecaesd cedgniaadensssieahisaaadaanteneedbansd deel iaet db scesdeseteaactie 4.13-341 

4.13.1.1 Per flow ACCOUNTING... eeeeeceeeeeeeeeeeneeeeeeeneeereaeeeeeeneeeeeeaaeeeseaeeeeneaeeeeeenaeeerenaeess 4.13-341 

4.13.1.2 Accounting list SeleCtiON ....... ee eeceeseeeeeeeneeeeeeeeeeeeeseeeeaeeeeaeeseseeseaeeteaeeeneeeeeneee 4.13-341 
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4.14.2 Configuration COMMANAS ...........:ecceeeceeeeeeeeeeeeeeeeeeeeeeesaeeeeeeseeeeeeeesaaeeeaeeesieeseeeeeiaeeeeees 4.14-346 
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4.14.2.13 Per-Host Sessions Limitation ...........ccceeeceeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseneeeeeeeeeaaes 4.14-350 
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4.15.2.1.3 Classifier Matching an Input Interface ...........ceeeeeeeceeeeeeeeeeeeeeeeteneeeseeres 4.15-364 
4.15.2.1.4 Classifier for RTP Trafic 0.0... eeeecesceeeseeteneeeeeeteaeeeeaeeseaeeseaeeseaeeeeaeetias 4.15-364 
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4.15.2.4 Bandwidth Setting 0... eee eeeeeseeeeseeeeeeeeeeeeeeeeeaeeeeeeeeeseeeeaeeseaeeseaeeseaeeeseeseaaes 4.15-366 

4.15.2.5 Remaining Bandwidth Distribution Management............:ccceeceeseeeeeeeeseeeeeeeeaees 4.15-367 
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BANTAM “DACP GIG Mt i cesec pst ead aches ltreci ee AGEs: hed Ave cahegs ni Stcasee MESSE ea hs tes ete nd 4.17-389 
4A7A:2. DHCP S@Ivelisseccea cise ceveyecrees cee sheen ieteces ceeete seh tee ge deve dined ceed eeeties eres ried 4.17-389 
4.17453" DAGP: Relay: ieicnesich titi ahstens tiie cei nied aah een ended vhetenes 4.17-390 

ANS :5: | StAtiStiGS.. excedees eves ces ascasladte dest eevaedeitas ach eae ceasnenesthevheenetiteed sac sanecevsue hah eee A aeeuereeis 4.17-391 

4.17:6" : -Debug and Trace s..cicccecipadccce seus dead ated shape acts shtiadecvesca ces sbhceeshuacagenstecapassteasdeetianstenanaasiie 4.17-391 

4.4180 \Bynadmic Dns Client::s:2:::hecsecivse issih ers eghtd edit cag hieeai fd saste tii bape aei aaa 4.18-392 

4318:1) Features cnn g shea dai eae. An A ee ae ge ne ae 4.18-392 

AAS COnfiQuratiOn s,s sie iutaceh ect set plea ee Medic Oe eee es ee ond ad 4.18-392 

AAB3" sSNOW sree stiac cores Ah et os ten Goede ties aad Dashes cates dares ce eat aceasta eter eat hats 4.18-393 

4.18:4° Debug sand. Traces ists <Siceibicdeg esccnerids eee d dacs Nepandd ened evecdeancns Astute Mas snd saets cea dalviss doe tideess 4.18-393 

AAS: -AUtO-Updatess: asicec oso tects ska ctat dots faces vaicestudesedicsvushedhananddeasiescasnandadsaaatedeassaniag feast iaaeahsadniesstedaeasé 4.19-394 

BAA” SMMtFODUCUION Foes cevseves cevteueseedscted veh hevdenes aecaueye ded etuatvereeentia thee tle bed de eel gtiapeaet oe 4.19-394 

AAQ2. ~“COMPQUPATION A. 5: d.scic saree 2 cceedendendes Sekl cedegeactetaces cuca ds seuee evened eta navdente veel Sep iade 4.19-396 

BAO” EXAMPpPlOS eclicds cxsiiys acta vavesteeesgesctideadicsauii vin cevaaven deeeige sched eset cen dey gases eetee 4.19-399 

4:19.4- Debug and. Statistics ees: i::izeces.saesidizesisnas.caesshacsidehusedhssid ssisdveweesdyasbeddsdvsiaeadtantvadsishaeedtenie 4.19-399 

4.20 CPE WAN Management Protocol (CWMP - TR-69) ........:::cecceeeeeeeeeeeeeeeeseeeeeeeeeseeeeeeeetnaeeneeeenea 4.20-401 

4.20:1.. “Feature: Description:::::c:35.2.05 ee. Bie Ae eee 4.20-401 
4.20.1.1 CWMP Transport Layer... eeceeeceeseeeeeeeeeneeeeeeeeeneeeseeeeeaeeeseeeeeeeseeeeeeeeeteeeeeaaes 4.20-401 
4.20.1.2 INFORM RPC: Triggering Events and Content ...........::ceccceeeeeeeseeeeeeeeeneeeeeeeeeaees 4.20-401 
4.20.1.3 Initiating TR-069 Sessions from ACS .0.....eecceeeseeseeeseeeeeneeeeeeeeeeeeeeeeseeeeteeeeeaaee 4.20-402 

4.20.1.3.1 Connection REQUCSTS.............::cccceeeceeeeeeeeeeeeeeeeeeeeeetaeeeeeeetaeeeeeetaeeneeeete 4.20-402 
4:20.1.3.2. ‘Scheduled InfOrm:1.:.::2:5. 2 eceseees hives cesses scales gectveees cdietesecteveee tbe de speceetie 4.20-402 
4.20.1.4 RPC invoked by ACS oc eeceeecseeseeeeneeeeeeeeeeeeseeeeseeesaeeeeaeeeeaeeseaeeseaeeseaeeeeeeeenaes 4.20-402 
4.20.1.5 TR-69 Scenarios behind a NAT Gateway (TR-111, TR-69 Pass-through)......... 4.20-404 

4:20:2 <Gonfiguring; GWM Pia. cstsecsigee idee: ateecs selec sees adte tenedeahes Se sboci aa ebveeeat sede Ghee ahaatna Seem enens 4.20-404 

4.20.3 ‘CWMP Data Model iissc.. cc cncs nec aie erence ue ai evi erie ee 4.20-406 

4.20.4 Enabling TR-111/TR-69 Pass-Through ..........:cccceeeceeeeeeeeeeeeeeeeeeeeeeeeeseeeeseeeeeeesieeeeeees 4.20-408 

4.20.5 Manual CWMP Operations ...........ccceecceeeeeeeneeeeeeeeeeeeeeeeeeeeeseeeeeeeeseaeeeieeeseaeesseeeteaeeeeaeess 4.20-409 

4.20.6 Statistics and TroubleShOoting...........eecceeceeeeeeceeeeeeeeeceeeeeeeeceaeeseaeeseaeeeeeeeseaeeseeeeseaeeeeaeess 4.20-410 

4.20.7 Configuration Example ...........cecceeeceeseeeeseeeeeeeeeeeeeeeeeseeeeaeeeesaeseaeeesaaeseaeesesaeseaeesteeeeeees 4.20-410 

4:21 - Autoconfiguration: cnc: iid ane ai eis Rae he aL de dace ei eo 4.21-411 

AQUA FOATUOS 2: cocci sec cecthieeed ee centesth codes aden ede eadd odie. cnenehascuniveedeewesedec engin ceneeeiseeenivh. ee eec ante 4.21-411 

4.21.2 Configuration COMMANAS ...........cceeeceeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeaeeesaeeeeeesieeseeeeetiaeeeeees 4.21-412 
4.21.2.1 Enabling AUtOCOnfiQuration...........eeseeeeeeseeeeeeneeeeeeneeeeeeeaeeeseaeeeeneaeeeeeenaeeerenaeees 4.21-412 
4.21.2.2 Method-1-Specific Autoconfiguration Parameters ..........:ccceecceeseeeeeeeenteeeeeeeeees 4.21-412 

4.21.2.2.1 Voice AUtoConfiguration 0.2... eecseeeeseeeeeesneeeeeeeeeeseneeeeeenaeeeeeeneeeeseneeeees 4.21-412 
4.21.2.2.2 Software Image Download ...........ecceeeeeeeeeeeeeeeeeeeeeneeeeaeeseaeeseaeeseeeeeeeteas 4.21-413 
4.21.2.2.3 Configuration Example ...........:cccceeeccecseeeeeeeeeeeeeeeeeeseeeeeeeeeseaeeeeeeeseaeeneeeene 4.21-414 

4.21.2.3  Method-2-Specific Autoconfiguration Parameters ...........ccceceeeseeeeeeeeeeeeeeeeeeeees 4.21-415 
4.21.2.3.1 Voice AUtoConfiguration 0.2... eee eeseeeeeenneeeeeeeeeeseeeeeeenaeeeeeeeeeeseneeeees 4.21-415 
4.21.2.3.2 Downloading Configuration and Software ...........0. cee ee eee teeter eeeees 4.21-415 

4.21.2.4 Method-3-Specific Autoconfiguration Parameters ..........:cccecceeseeeeeeeeeseeeeeeeeeees 4.21-417 
4.21.2.4.1 Voice AUtOCONFIQUIATION «00.0... eee eeeeeeeeneeeeeeneeeeeenaeeeeenaeeeeeeaeeeenenaeeeeenaees 4.21-417 

4:21 24:2 “Enabling test:calllS .:.22::2ct4cccck lec tiete sadcct bes intatensalsoeSianinta tenses och beccsattaneeetay 4.21-417 

4.21.2.5 Method-4 Autoconfiguration 0.0... eecceeeesneeeesneeeeesneeeeeeneeeesenneeesssaeeeesenaeeeeenaees 4.21-417 
4.21.3 Configuration and Statistics 0.0... eeceeeeeeeeeeeeeeeeeeceaeeeeaeeseaeeseaeeseaeeseaeeseaeesneeeteaeeeeaeess 4.21-418 
4.21:4) “Debug and NraGe aise. cc A stearate Megs eatin eye bat Grwatieeigeee 4.21-419 
4:22... DNS REIAV/APIOXY ts¢. ee ernecctasts foley: nda Santee ade ae ei Matte eet eee een ae 4.22-420 

AsQ2 eA? SFOATULOS:<nzczhecsech isu retnces cis gedeeeseeaesatadscsciasteeuahduasdessiedseush saredvsvactecustseeeassen a adeust bepseshtaatehe 4.22-420 

4.22.2 Configuration COMMANAS ...........:ecceeeceeeeeeeeeeeeeeeeeeeeeseeeeeeeesseeeeaeeessaeseaeeesieeseeeeesieeeeaeees 4.22-420 
4.22.2.1 Setting Name Server ACOreSSES ..........:eecceeseeeseeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeseeeeseeeeeaaes 4.22-420 
4.22.2.2 Configuring Cache SiZ@........e eee eeeeceseeeseeeeneeteaeeeeaeeteaeeseaeeseaeeseaeeseaeessaeeseaeetsaes 4.22-421 
4.22.2.3 Configuring the Source Address of Relay AQent ..........:::ccceseceeeseeeeeeeeeneeeeeeeeaees 4.22-421 
4.22.2.4 Configuring the Local Router to use DNS Relay/Proxy .........c:ccccceeeceeeseeeeeeeeenees 4.22-421 
4.22.2.5 Learning DNS Server ........cececesceeesceceeeeeeseeeeaeeseaeeseaeeseaeeseaeeseaeessaeeseaeessaeeseaeeseaes 4.22-421 
4.22.2.6 Configuring Client AUCreSSES ..........:cccceeeceeeseeeseeeeeneeeeeneeeaeeeseeeeeaeeeeeeeeeeeeseeeeeaaes 4.22-422 

41223" -SlalStlOS AA cose Rene teh eth cotiet aes tice a ca eee ete se heer 4.22-422 

4.22.4 Configuration Example ...........eeececeseeseeeseeeeeeeeeeaeeeeeeesaeeeeeeesaeeeaeeesaaeseaeeesaeeseaeeseeeeeaeees 4.22-422 

4.22:5; ‘Statistics + vecinaie oe Aen i eres eee ean eet aera 4.22-423 

4:22.6 “Debugalid Trace si sci25 ss seecteccecies snnes caeehetes Sigaes a taeet st geantse eax fd Gielteewioe gies eerie ae 4.22-423 

4.23 Virtual Router Redundancy Protocol ............cccccesseeeeeeneeeeeeeneeeeeseeeeeenaeeeeseaeeesesaneeesenaeeeesenenereeaas 4.23-424 

423.1) FO AUIS ecseieide tee citeded dn verde ech eg ona do tine Pati uie pen gtactenee nae areeaagncgtiy 4.23-424 

4.23:2:> -Configuration: COMMANGS vss ssecisz ceca ves cesassazzeveiealasoexcagasedavis denaseaaiceuhoejocdetanscs gusta cidezeansee’ 4.23-424 
4.23.2.1 Virtual Router IP AdreSs «0.0.0... eeeseeeeeeeneeeeeneeeeeeeeeeeeneeeeeaeeeeseaeeeeeeeaeeerenaeees 4.23-424 
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4:23:2:2: NMirtuali MAG ‘Address sucfes. id iets cenezecckaaseeitchans sgevid iedsiseteetuesinpaidéspuacag eid etsdeeeteees 4.23-425 
4.23.2.3 Setting a Priority Of A ROUEN oo... eee eeeeeseeeeeeeeeneeeeeeeeeseeseaeeseseeseaeeteaeeeeaeetenees 4.23-425 
4.23.2:4  -Preemptloniscc sities bee acid etn ive dees ete oie dh he ae eee 4.23-425 
4.23.2.5 Advertisement Tier ............ccccceeeceeeeececeeesceeeeeeeeeeeeneeceeseseeeeeeneeeeseseaseeseseeeeeseeneers 4.23-425 
A23:2.6° “TIMEPECALNING) sercee 264 25 gece des cee vee ukcedatestea ch csseovedenltes Aeashcuiesteuetass Geegtevaedies Audeasteee! 4.23-425 
4.23.2.7 Authentication PaSSWOI ..........eeeceeeseeeeeenneeeseeneeeeeeaeeeeeeaaeeesesaeeeeesaeeeesenaeeenenaees 4.23-425 
4.23.2.8 Monitoring Interface... eee eeeeeeeeeseeeeeeeneeeseneeeeeeeeeeeeeaeeesesaeeeeseaeeeeeseaeeetenaeees 4.23-426 
4.23.2:9 Tracking Interfaces. ..2ici..cccssecceekecs evens dedhite ggevacieedevicen cu ee cenl cciceenyannceeesavheenscors 4.23-426 
4.23°2:31.05 TAaACKING: ASW. :eccestech see ceeeaccsceuerecsdeedee od eg icSeeaeewdexte sthones ase sea hee dw eetiaeece 4.23-426 
4.23.2.11 Sending SNMP Traps. ..........-c:escccessceeseceescereseeeeseeneeeeeeeeeneeenenseneneneenseneneenensenenaes 4.23-426 
4.23:3° -Configuration: EXAMPIOS 20 ts. scececcnceassnaceteenzeczcataasadeccess eceehbdsediea ca eesataasad eet azadeshangcidetesedes 4.23-426 
4.23.3.1 Basic VRRP Topology ......... ec eeeseeeeeseeeeeneeeeenneeeeeeaeeeeeeaeeesesaeeeessaeeeenenneeeeseaees 4.23-427 
4.23.3.2 Load Sharing with Redundant VRRP Topolog)...........::cescceeeceeeeeeeeeeeeeneteeeeeeenees 4.23-427 
A234" -OlaliStlCS 4: Aalst cia eee ieee cede ene ees Devers a ed ohana iets 4.23-429 
4.23.5. «Debug and: Trace sss. cass: iectiedeesnsestastacdesa ed icestasingdsnadecseZiancag dash tisasdascagdsanteaaethareag asa stascse 4.23-429 
4.24 ICMP Router DISCOVERY Protocol (IRDP) .....0.....:ceecceeeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseaeeseeeessaeeneeeenea 4.24-430 
4.24.1. INMWOGUCUION fexcrccy os eka ieee ea verid el aa ei eeene ha eee thea ave ee dees 4.24-430 
4.24.2 Configuration COMMANAS ...........eecceeeeeeceeeeeeeeeeeeeeeeeeeeaeeeeeeesaeeeaeeeseaeseeeesieeseieeeeneeeeaeees 4.24-430 
4:24.21. “Enabling: IRDP vec aitceccee Se cesete ces ae garchd ad avg tents keene ade one ene 4.24-430 
4:24.22:  Gonfiguring Hold: Time? css.si cc cagaczeseessdsecstenna. diecstsenateetaecdessdaaadepad-ddeephacasaeseeetdebes 4.24-430 
4.24.2.3 Configuring Advertisement Interval ..........::cccceeeceeseeeseeeeeneeeeeeeeseeeeeeeeeeeeeeeeeeeaaes 4.24-430 
4.24.2.4 Configuring Preference 20.0... eeecececeeeneeceeeeeeaeeceaeeeeaeeseaeeseaeeseaeeseaeesnaeeseaeesaes 4.24-431 
4.24.2.5 Broadcast/Multicast EMISSION............cccceeeseeeeeeeeeeeeneeeeeeeneeetenaeeeeneneeeeeseeeerenaeees 4.24-431 
4.243. Configuration: EXAMPICS i. csescccece cece cessee aatcencteteateesst eects eecveaccetenendeedeetendtiecnareenseand! 4.24-431 
ADA AX SSTALSUCS ccrzseicitn ces tozaec cine Ses Se eect hatete secs staal: eatosaeid ids see coy h ace 8 tN ea Alatee Saeco asks 4.24-432 
4.24:5° /Debugand. Traces..t.sicn teint ea eee ee 4.24-432 
4.25. IP: Server LoadiBalancing)::iiiiccsctteecats Take Wad eee ete celts Rinne edeat ities aaah 4.25-433 
B25 c1. “F@atures: se). siaet te iecsece eis etehoievid ek ceatpe aah ee ee eR ee 4.25-434 
4.25.1.1 Scheduling AIQOritHms........... eee eeeeeeseeeeeeeeeseeeeeeeeeseeeeeeeeeseeeeaeeeeaeeeeaeeseaeeeseeeeaees 4.25-434 
4.25.1.2 Automatic Server Failure Detection ...........eceeeceeeseceeeeeeneeeeneeseeeseaeeseeeseeeraes 4.25-434 
4:25.413: . Automatic Un-tall. inne il dee ie seed ae hee Wie ee 4.25-434 
4.25.1.4 Client-Assigned Load Balancing............cccceeeceeseceeeeeeeeeeeteneeeeeeeeeeeeeeeeseeeeeeeeeeaees 4.25-434 
4.25.1.5 Delayed Removal of TCP Connection Context..........ccecceesceeeseeeseeeseneeeeneeseneereaes 4.25-434 
4.25.1.6 Maximum Connections - Maximum Clients ..........cceeeceeeneeeeeeeseeeeeeeeeeeeseaeetaes 4.25-434 
B25 WT > oS OrVer: NAW cei sio5cssazceseesesviadscag asst sacatesiscasdagatsaeashissagdsantecaedhineaidesstsesishaniasdaieteeactie 4.25-434 
4.25.1.8 Server Port Translation and Port-Bound Serves .........::ccecceeeeeeeeeeeeeneeeeneeteeeeeaes 4.25-434 
4725219". Sticky GOMMECONS sci. eaacees ecu iy cere ve cect evlvdeads eteGibtd eas bataeeh se eden be neeeig Wee 4.25-435 
4:25'2: . “COMPQUIALON erseveesecp eee ese eeu stencateeds ce engenders cagenacchadidh ceohue. irene ieee eee aera 4.25-435 
4.25.2.1 Server Farm Configuration ..........cecceescceesceeeseeeeeeeeeseeeeeeeeeseeeeeeeseseeseaeeseeeseeeseaees 4.25-435 
4.25.2.2 Real/Physical Server Configuration ............cccceecceceeeeeeeeeeneeeeeeeeeeeeeeeeeeeneeeeeeeeeaees 4.25-435 
4.25.2.3 Virtual Server Configuration ..........ecceecceeeeeeeseeeseeeeeneeeeeeeeeaeeeeeeeeeeeeeeeeeeesieeeeaaes 4.25-436 
4:29.2:4 . Port Bound Se@rvers:.iccciayctes cs eeheen dete cp tene tt betel adept aingeidnenideicea etna 4.25-436 
A253. «SHOW COMMANS Actes het rari etendsl nowt Sane taeete meager ensiatneareeg ee 4.25-436 
4:25:4~ -Cle ar COMMANAS 2:5 22 -sse05: keassaeaicdstshaascudestieaieeyhasidl udaeexeesmiar iota detsreinaa 4.25-437 
4.25.5 ‘Configuration: Example vss: :cs.ceceoseectecheisiccececdeleclagstecenstseteclinsdiceecte elctletiecvnveesievbisedinnes 4.25-437 
4.26 Routing Information Protocol (RIPV1 and RIPV2)........ ce eeeeseeeeeeseeeeseneeeeeenaeeeeeseeeeseneeeeeenaeeeeneas 4.26-439 
4:26:10  -F@AtureS:::...28 sincctes niente teeeiidioy eth, eas ee ee i ee 4.26-439 
4.26.2 Configuration COMMANAS ............cecceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseaeeeeeesaeseeeesieeesieeeenaeeeeees 4.26-439 
4°26-2:1 Enabling: RIP: sezsicsssccsetcsezthscej dass tidnceteeca dicen taspesiaes tad fascesesteseadeasateaacdageiagasdeeeaersse 4.26-439 
4:26:22. -AdjUStING: TIMOIS sacciesds ec cgstet ceeds le yessbee ieee sa destasleveetan esses tiey ates eve nreeceng elce 4.26-440 
4:26:2:3 Setting (RIP: VersiOnSixs.03 15 seen eckson cede op iene betet dead see eden decenens l ticiedevbaseeueees 4.26-440 
4.26.2.4 Configuring AUthentiCation .......... ee eecceeeeeeeneeceeeeeeeeeaeeeeaeeseaeeseaeeseaeeseaeeseeeeeaes 4.26-440 
4.26.2.5 Generating a Default Route into RIP .........ceceeeeceeeseeeneeeeneeeeeeseeeseaeeseaeeseeeeeaes 4.26-441 
4:26:2:6 -RedistributingiROUteS ics s:ccscczécscsescdhascaidasessasacsascagieaniceqasigataddesasssatshasiapdesetetantie 4.26-441 
4:26:2.7 — Route FilterinG.cscitvinteeteereeitee heievied ty ites eee tel eae 4.26-441 
4.26.2.7.1 Filtering Based on Access Lists 00.0.0... ec eeeseeeeeeseeeeeeneeeeeeeeetenneeeneneneeee 4.26-441 
4.26.2.7.2 Filtering Based on Prefix Lists... eeeseeeesseeeeeeneeeeeeeneeeeeseeeeeeneeeeees 4.26-442 
4:26:2.7.3: -DiStribUte=LISts :239.c2 ee. ceshace gdh su eae cevaua tacesd secedsbaasde Sah senedenaedgevseeanadesenetecals 4.26-443 
4.26:2:/:4. ‘Route Mapss.ct i A a es a ee 4.26-443 

4.26:2:3.  TrigQered RIP sisec.icccehiel i itevss devas bdicneseneesdgens diva eects deve sbuechacieb beret eblte sets 4.26-444 
4.26.2.9 Administrative Distance .........eeeeeeseeeeeeneeeteeeeeeeeeeeeeeeaeeesenaeeeesseeeeeesneeerenaeees 4.26-444 
4.26.2.10 RIP Update Filtering ......... cece eececeseeceneeeeeeeeeeeceaeeseaeeseaeeseaeeseaeessaeeseaeessaeeeeaeessaes 4.26-444 
4.26.3: -GonfiguratloniExam ple e.ct3 s2:hcs0:225isasccevaacpa tue snas cdieeagbcsbatas sddatanae cents gheadevaasdeeeistsdieuss seared 4.26-445 
4.2634: Statistics si yiaaicanieti deta nln tobias dailies 4.26-445 
4:26:5:. -Debug-and: TraCe wis aise acid isteeehs baie ee i ee a ed die ee he 4.26-446 
4.27 Border Gateway Protocol (BGP-4)..........cceeseceseeeeeeeceeeeeaeeteaeeeeaeeseaeeesaeeseaeeseaeeseaeeseaeeseaeeseaeenias 4.27-448 
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B27.’ NMIMtOGUCHION waseicsessezeeecelica td ciceeteg best bakcdeeageseennnsaceceuscegeeit addecaaccgensnbeebaaensagbisd bepsiehtatgesi 4.27-448 
4.27.2 BGP Configuration Steps............ecceesceceseeeseeteneeeeeeeceaeeeaeeseaeeeeaeeseaeeesaeeseaeeesaeeseaeeenaeess 4.27-448 
4.27.2.1 Required BGP Configuration Steps ...........ccceeeceeeeeeeeeeeneeeeeeeeeaeeeeeeeeeneeeseeeeeaees 4.27-449 
4.27.2.1.1 Enabling BGP Routing ........... cc eeceeeceeeneeeeeeeeeneeeeeeteaeeeeaeeseaeeeeaeeteeeeeaeetias 4.27-449 
4.27.2.1.2 BGP Neighbor Configuration...........:ccccceeeeeeseeeeeeeeieeeeneeseneeseeeeteeeseeetias 4.27-449 

4.27.2.2 Configuring TCP MD5 signature option for BGP SeSSIONS ............:ceeeeeeeeeeeteee 4.27-449 
4.27:3° SNMP Traps vai: iteietoest Site ene sldteshcieen inecdaaagl al deyiolni dala 4.27-450 
427.4 BGP’ Peer-Groupsisitiisi leicht the. Seed chien Mahiee ectedieecaae ainda idle the 4.27-451 
4.27:4.1 - Peer Group: Creation vs...sc ives: escsnes eves saesies bt ieee ca tienes arenes Siegen ee eene tegen 4.27-451 
4.27.4.2 Assignment of Routing Policies and Attributes ..0....... eee eeeeeeeeeeneeeeeeeneeerenaeees 4.27-451 
4.27.4.3 Neighbor Membership Configuration in a Peer Group..........c:ceesceeeeeeeteeeeeeeenees 4.27-452 
4.27.4.4 Disabling a Peer or Peer Group .........::eeeeceeseeeeeeeeneeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeaaes 4.27-452 

472 7:5: ‘Load Sharing s..cccie aides Mele vclet set stidiaietaedics cei iad tetugitsened el neawh aeekiehe ie omaed leuaigle 4.27-452 
4:27.68.‘ BackdoorROUtes wax. .c: tices centethete is sectee edhe hate evden adits ete i oddevdie eve cette nathan 4.27-453 
4.27.7 Administrative Distance ..............:ccceseccceeeseeeeeeeeeceneseneeeeeseeeeesseeeesesenseseeseeeeeesasenesenseeeeaces 4.27-453 
4.27.8 Route. Redistribution sce. c.c.scc.cceeeseneesceeeseccoceeeeeecchee stceeesbcbacehesceecsesenebeebueceeeesazevedeteneesecbs 4.27-453 
4.27.9 Modification Of BGP ROUtING........ ce eececeseeeeeeeeeeeeeeeeeeeeeeeeeeeesaeeeaeeesaaeeeaeeesieeeeeeeeieeeeaeees 4.27-453 
4.27.9.1 Disabling AS Path Comparison ..........ccceecceesceeeeeeeeeeeeeeeeneeeeeeeeeeeeseeseeeeeeeeeeaaes 4.27-453 
4.27.9.2 Configuration of Default Local Preference. ............... cece eee tee teee terete teeta 4.27-454 
4.27.9.3 Disabled Default Next-Hop Processing ...........cscceeesseeeesneeetesneeeeeeneeeeeeeneeerenaeees 4.27-454 
4.27.9.4 Next-Hop Setting Using Self AddreSS....... cei eeceeeseeeeeeeeeeeeeeeeeeneeeeeeeeeeeeseeeeeaaes 4.27-454 
4.27.9.5 Next-Hop Setting Using a Route Map ........ cee eeeceeeseeceneeeeneeteaeereeeseaeeeeaeeeeaeetaee 4.27-454 
4.27.9.6 Multi Exit Discriminator Metric Configuration ..........ccceecceeeceeeeeeeseeeeeeeeneeeeneeeeaees 4.27-454 
4.27.9.7 Configuring the Router to Consider a Missing MED as Worst Path.............:006 4.27-454 
4.27.9.8 Path Selection Based on MEDs from Other AS..........cecceecceeeceeeteeeeeeeteneeeeeeeeeaees 4.27-455 
4.27.9.9 MED-Based Routing in Confederations. ...........ecccccceeeceeseeeeeeeeeseeeeeeeeeneeeeeeeeeaaes 4.27-455 
4.27.9.10 Administrative WeIQNt.......... cc eeeeeeeeseeeeeeeneeetenaeeeeseeeeeeeaeeeseaeeeeseeeeeeseaeeerenaeees 4.27-455 
4.27.10 BGP Timer Configuration...........cccceesceseceeeeeeceneeeeeeeceaeeeeaeeseaeeeaeeseaeeesaeeseaeeeaeeseaeeenatens 4.27-455 
4.27.11) “ROUTING! POlCIOS 5:05 2:2 este cad eles ses 0 shackde shag siceashiaadcepeicideeascastsyaaeadeasteccgasvhsaadeeateanseeninaaseias 4.27-456 
4.27.11.1 AS Path Filter Definition 0... eee ceceeeeeeeneeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeseeeeeeeeseeeeeaaes 4.27-456 
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3 SYSTEM MANAGEMENT 





3.1 INTRODUCTION 


OneOS offers an embedded file system for software and configuration files. It is possible to save several 
software releases and configuration files. When the equipment is started up, the boot software reads the 
application software file (via the file system), decompresses this software image and launches the 
application software and the configuration file. 


The OneOS-based router provides interfaces for device management: 


e Console Port: Asynchronous port, used primarily for access to the Command Line Interface (CLI) for 
configuration and management, and optionally for using embedded debugging. 


e Ethernet Port: Enables connection of a PC for configuration via Telnet or the downloading/uploading 
of files with TFTP/FTP. The IP address of the port is configurable with the CLI. It is also possible to 
manage configuration or file transfers via the second Ethernet port or remotely via IP over ATM. 


3.1.1 Preliminary Instructions 


The device configuration is not case-sensitive. 


Keywords in commands are written in the following style keyword. Parameters, which are user- 
defined, are not bolded in the command line. 


User-defined parameters are written inside the < > expression and are not written in bolded 
characters. Example: <ip-address>. 


Optional instruction parts are written between the following characters [ ]. Example: [optional- 
instruction-set]. 


When several alternatives are possible, they are written between braces. The | character is the 


separator between the alternative instruction sets provided between braces. Example: 
{ instruction-set-1 | instruction-set-2 | ... }. 


Ranges of discrete values are provided as follows: <lowest-number..highest-number> or 
<lowest-highest>. Example: <1. .30> is the same as <1-30>. 


3.1.2 Getting Started 
The equipment is delivered with OneOS software and a default configuration file. Two methods can be 
used to enter into the configuration CLI: 


1 - Connect to the FastEthernet 10/100 port (or to Ethernet 10Base-T port of ONE400). For routers with an 
embedded switch, use the Fast Ethernet (port 0/0) on the right hand-side (port 0 on left hand-side for 
ONE60) and use a Telnet client with the following default factory settings: 


e IP address: 192.168.1.10 
e Username = admin Password = admin 


Note: unauthorized connection attempts are subject to blacklisting (see 3.27). 
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2 - Connect to the console port (default factory settings): 
e Serial parameters: 9600 bps, 8 bits data, No parity, 1 Stop bit, No flow control 
e = After the reboot 


Username: admin 
Password: admin 
CLI> 


Note: unauthorized connection attempts are subject to blacklisting (see 3.27). 


While entering CLI mode it is possible to read, modify or create a configuration and access the file system 
(see next paragraphs). 


The prompt (CLI in the example) can be changed using the following command: 


CLI> hostname <newname as string 1..64> 


Warning: the prompt may be truncated, depending on the context, when the hostname string gets a 
high length. 
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3.2 CONSOLE PORT SETTINGS 


3.2.1 Default Settings 


The console port is enabled and functions with the following parameters: 9600 bit/s, 8 bit-encoding, No 
parity check, 1 Stop bit, No flow control. 


3.2.2 Disabling Console Port 


For security reason, it is sometimes desirable to forbid access to the system console port. From the 
management center, we can use ‘telnet’ or 'FTP' to change the device configuration and disable the 
console port with the following command: 


CLI> console disable-input 


To re-enable the console port, use the following command: 





CLI> console enable-input 
3.2.3 Console Port Inactivity Timeout 


After an inactivity period, the user is prompted to enter its login and password again. By default, the 
timeout is 10 minutes. To configure the console timeout, the command in global configuration mode is: 


CLI (configure)> console timeout <seconds> 


To restore the default timeout, use: 





CLI (configure) > default console timeout 
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3.3 FILE SYSTEM 


3.3.1 


Introduction 


Two file systems are available: 


The ramdisk file system identified by "ramdisk: /", which is volatile. It is used only by the system. 


The disk file system named as "flash:/", which is permanent. It includes software and 
configuration files. 


The disk file systems are pre-formatted at the factory. 


The ramdisk content is erased on power on (not after a reboot). 


3.3.2 File Systems Layout 


The ramdisk contains: 


The "tmp" directory for saving temporary files 


The "running-config", a text file that contains the CLI commands used to build the current 
configuration 


Events files (log messages) 


The permanent disk contains: 


A "BSA" directory 

Other sub-directories under "BSA" including: 
e config: For configuration files 
e binaries: For execution files 


e dump: For log and debugging purposes 


3.3.3 File System Commands 


The following CLI commands are available for the management of files and directories on the disk file 


system: 

e devs [flash | ramdisk]: Without parameters, the command displays the drive in use 
(flash or ramdisk). With parameters, the user can change the current device. 

e = pwd: Displays the current working directory (initialized when a CLI 
session is started to the root of the current device) 

e ed <directory>: Changes the working directory 

e mkdir <directory>: Creates a new directory 

e ls: Lists files and directories inside the current directory 

e cat <filename>: Lists the contents of a text file 

e exec -echo <filename>: Executes a CLI script 

e xm <filename>: Removes a file 

e rm *: Removes all files, directories and sub-directories in current path 


mv <filenamel> <filename2>: Renames a filename 


copy <filel> <file2>: Copies a file (source: file1, destination: file2) 
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e copy tftp://<tftp_server>/<filel> <file2> [<source-interface> <unit>]: 
Downloads a file (file1) from a TFIP server and save it under file2. Example: 
copy tftp://10.20.30.2/One0s OneOs.new loopback 1 


e copy tftp://<tftp_server>/<filel>.tar <path> [<source-interface> <unit>]: 
Downloads a TAR file (file1) from a TFTP server and save it under target path 


e copy <filel> tftp://<tftp server>/<file2>: Uploads file1 to a TFTP server and save the 
file as file2 on the server 


e show device status { flash: | ramdisk }: Shows the available space in the 
flash/ramdisk disk and some miscellaneous information of file system status 


e chkdsk: Verifies if the file system is corrupted 


Examples: 


CLI> ed / 
CLI> pwd 
/ 
CLI> ls 

BSA/ 512 
startup-config 0 
gshdsl 287 

voiceoa 1147 
iproute 60 
vxWorks.ZZZ 2077607 





CLI> cat iproute 

configure terminal 

ip route 0.0.0.0 0.0.0.0 Atm 0.1 
exit 


Example for downloading a new software release: 


e Read the bsaBoot.inf file to read the current location and name of the software: 


CLI> cd BSA 

CLI> cat bsaBoot.inf 

flash: /BSA/binaries/vxWorks .Z2ZZ 
flash: /BSA/config/startup-config 


e RunaTFTP server on a PC (IP address IP = 10.10.10.1) and enter the following command: 


CLI> ed BSA/binaries 
CLI> copy vxWorks.ZZZ vxWorks.sav 
CLI> copy tftp://10.10.10.1/c:\temp\vxWorks.ZZZ vxWorks.22Z 


e _— After the file transfer, reboot the device: 


CLI> reboot 
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3.4 GETTING ROUTER HARDWARE & SOFTWARE INFORMATION 


If you want to display details of the router hardware, please enter the following command: 


CLI> show system hardware 


To display additional details of the router hardware, please enter the following command: 


CLI> show product-—info-area 


To show the current running software version: 


CLI> show version 


To show the software version of an OneOS image in flash: 


CLI> show soft-file info <path/name> 


Usually the command must be the following: 
CLI> show soft-file info /BSA/binaries/OneOs 
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3.5 START-UP 


A file, bsaBoot .inf in directory BSA is used on start-up to load and execute the OneOS software and to 
run the startup configuration file. 


For example, inthe bsaBoot. inf file 2 lines are written: 
flash: /BSA/binaries/oaOne400.222 
flash: /BSA/config/start-—config.cfg 
The first line (oaOne400.222Z) is the application software image file and the second line (start-— 
config.cfg) is the configuration file used on start up. 
It is possible to change the content of the bsaBoot .inf file by using the following commands. 
To change in the bsaBoot. inf file the application software image file name: 


CLI> boot software image <full-pathname-OneOS> 


To change in the bsaBoot . inf file the configuration file name: 


CLI> boot configuration <full-pathname-config> 


If the startup configuration file is not present the device starts up with a default configuration. 


Note: the software image file and the configuration file can be uploaded / downloaded to and from a server 
using the file system commands depicted in 3.3. 
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3.6 CONFIGURATION OF MANAGEMENT FUNCTIONS 


The Command Line Interface enables the user to configure and to fully manage the OneOS-based router 
with an easy-to-use interface. Modifications made to the parameters are applied immediately after 
checking parameter consistency and validity. The CLI is accessed via a Telnet session (locally or 
remotely) or via the Console serial port. 


A shell/debug interface is accessible from the console interface by entering the command tshel1 on the 
CLI (after entering the shell interface, the CLI command can be used to return to the CLI). The shell/debug 
interface is outside the scope of this document and its usage is only intended for OneAccess support and 
development team. 


Note: unauthorized connection attempts are subject to blacklisting (see 3.27). 


3.6.1 Starting a Telnet Session 
The configuration session is accessible via a Telnet session from a PC (or from a UNIX station) connected 
using the command: 


CLI> telnet <device_ip_address> 


The default value (factory) is: 192.168.1.10 


When first configuring the device, it is recommended to connect a PC to the 10/100base-T interface of the 
OneOS-based router (or the 10base-T interface of the ONE400) and use the corresponding IP address. 


If the Telnet application is accessed from NT, it is best to select terminal options as "VT100 arrow". 
The user and password defined by default are admin and admin. 
Note: unauthorized connection attempts are subject to blacklisting (See 3.27). 


By default, the IP address of the Telnet server is attached to the Ethernet interfaces. To use the IP address 
of another interface, a bind command must be entered. 


3.6.2 Configuration Session 


After logging in and entering a CLI session the CLI offers a similar interface as a "UNIX shell" with a 
hierarchically defined tree of commands. It offers history and command editing, i.e.: 


e CTRL-n[p], upper and lower arrow: — get next[previous] command 


e CTRL-b, left arrow: move cursor left 

e CTRL-f, right arrow: move cursor right 

e CTRL-d: delete a character 

e ESC-bff]: move one word back [forward] 


For each command there is an associated help string using the “?” character. The “?” character can also 
be typed in a command to display command arguments. 


For example: 


CLI (config-if)> ? 

Bandwidth - Set bandwidth informational parameter 
Driver - Driver identification for ATM current interface 
Exit - Exit intermediate 

Gshdsl - Set the DSL interface in G.SHDSL mode 

Ip - IP configuration subcommands 

No - no 
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oam-flush — oam-flush 

Pvc - pvc 

Sdsl - Set the DSL interface in SDSL mode 
Service-policy - Service-policy 


The configuration commands are available after entering the configuration terminal command that 
makes the CLI entering in "global configuration mode". To return to the initial CLI state, either enter exit 
when the CLI is in global configuration mode or enter end at any stage of the device configuration. 


3.6.3 Saving the Configuration on a Permanent Disk 


The user can save the running configuration (volatile storage) into the startup file for boot specified in the 
file bsaBoot.inf, or into a specific file when specified with the CLI save command (after leaving CLI 
configuration mode): 


CLI> save running-config [to <filename>] 


This command has the same effect as ‘write memory’. 


3.6.4 Editing a Configuration File 


The following is recommended for efficient configuration of an OneOS-based device: 
1. First, build the configuration in a text file on a PC using notepad.exe 

2. Opena Telnet session with the equipment 

3. Copy the configuration lines in the notepad window 

4. Paste the lines into the Telnet window 
5 


Save the configuration with the save running-config command if the configuration is to be used 
for the next reboot 


A second method consists of using the command copy. It is possible to upload the configuration on a PC, 
modify the configuration file with a simple editor such as notepad.exe, and download the configuration file. 


Example for uploading: 


CLI> copy /BSA/config/bsaStart.cfg tftp://193.1.1.2/c:\config.txt 


Example for downloading: 


CLI> copy tftp://193.1.1.2/c:\config.txt /BSA/config/bsaStart.cfg 


3.6.5 Scheduled Reboot 


After modifying a configuration it may be necessary to reinitialize the device: 

CLI> reboot [ { after <seconds> | at <dd>/<mm>/<yy> <hh>:<mm>:<ss> } ] 
This is similar to a power down / power up procedure except that the ramdisk device is not cleared. If no 
argument is provided, the device reboots immediately. When using the after argument, a reboot is 


scheduled when the number of seconds has elapsed. The at argument schedules a reboot at the provided 
date and time. 


If you wish to cancel a scheduled reboot, use the following command: 


CLI> reboot cancel 
3.6.6 Reboot and Test a New Configuration or Software Image 
You may want to test a new configuration file or test a new software image. For that purpose, a special 


reboot command enables you to define a configuration file and a software image that are not the same as 
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those contained in the /BSA/bsaBoot.inf file (default start parameters). With this command, the router 
reboots using the software image and configuration file and will re-use the default software image and 
configuration file at the next reboot, thus enabling you to check whether the new files are satisfying or not. 
The command line is the following: 


CLI> reboot-check [at <hh>:<mm>:<ss>] <sw-image> <config-file> 


at argument schedules a reboot at the provided time. If you wish to cancel a scheduled reboot, use the 
following command: 


CLI> reboot-check cancel 
3.6.7 Reset of Device Configuration 


When using a device, it might be tedious to destroy the configuration. The following command simply 
erases the current configuration file and reboots immediately the device to take the default configuration 
enter in effect: 


CLI> erase saved-config 


3.6.8 Restoring Factory Settings 
This function enables to reload a router as if it was coming from factory. OneAccess factories can load a 
set of custom default files in flash of the router (to be discussed with OneAccess sales). 


As a first step, the restore-factory settings checks if flash: /BSA/binaries/OneOs exists and if itis a 
valid binary. In case of error, the restore factory settings function fails and an error message is displayed. 


If the above mentioned condition is met, the following actions are carried out: 
e Remove all files except certain system files 
e = flash: /BSA/bsaBoot.inf 
e = flash: /BSA/binaries/OneOs 
e = flash: /BSA/config/bsaStart.cfg 
e = flash: /factory-backup/ (and all files found under that directory) 
e = flash: /ibc (and all files found under that directory) 
e = flash: /t ft pboot (and all files found under that directory) 
e Restore certain system files based on specific security policies 
e Regenerate password file flash: /password 
e Regenerate file flash: /BSA/bsaBoot.inf 
e Restore certain content, based on "factory backup" content 


e § 6if flash: /factory-backup/default-bsaStart.cfg exists, copy flash: /factory- 
backup/default-—bsaStart.cfg to current configuration file (bsaStart .cfg) 


e if flash:/factory-backup/default-bsaStart.cfg does not exist, erase the start 
configuration (as given in flash: /BSA/bsaBoot. inf) 


e if flash:/factory-backup/default-—web.tar exists, untar the file flash: /factory- 
backup/default-—web.tar in flash: /webroot/ (use the clean-up options; as the 
command: untar <file> <dest> clean-up all-sub-dir) 





e§ 6if flash: /factory-backup/default.wcfaccounts.ini exists, copy 
flash:/factory-backup/default.wcfaccounts.iniin 
flash:/.wcfaccounts. ini; otherwise, erase .wcfaccounts.ini 


e 6if flash: /factory-backup/default-password exists, copy flash: /factory- 
backup/default-—password into flash: /password 


The following command restores factory settings and reboots the OneOS-based router: 


CLI> restore factory-setting 
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3.7 SOFTWARE UPGRADE OF A ROUTER 


3.7.1 Upgrading an OneOS-based router 


There are several ways to upgrade a router with a new software release. This manual proposes to follow 
the following steps. Prior to making a software upgrade, it is strongly advised that you read information 
about the file system (3.3) and configuration management (3.6). 


First, you should verify that the file bsaBoot.inf has the following content. The verification is done as 
follows: 


CLI> ed /BSA 

CLI> cat bsaBoot.inf 

flash: /BSA/binaries/OneOs 
flash: /BSA/config/bsaStart.cfg 





The content of bsaBoot . inf, as listed above, conforms to OneAccess standard factory settings. The new 
software that you will load on the router will have to be named OneOs in the directory /BSA/binaries. 
The old software must be first saved under a new name (for backup): 


CLI> ed /BSA/binaries 


Before downloading the new software, please check that the flash disk provides enough space for the new 
file. 


CLI> show device status flash: 
If needed, remove older software with the rm command. Then, the new software must be downloaded via 
FTP or TFTP. Here is an example with TFTP: 

CLI> copy tftp://193.1.1.2/c:\tftp:\OneOs OneOs.new 


Optionally, you could have provided a source IP address (like loopback 1) for the TFTP transfer as follows: 
CLI> copy tftp://193.1.1.2/c:\tftp:\OneOs OneOs.new loopback 1 

Be careful that the file system is case sensitive. In other words, if OneOs is mistyped (wrong capital 

letters), the boot software will not start any software (e.g.: Oneos is wrong). 

Before rebooting, you can check the content of the directory: 


CLI> ls 
OneOs 
OneOs .new 


To verify the downloaded OneOS checksum: 


CLI> verify soft-file [<path>/]<filename> 


CLI> show soft-file info [<path>/]<filename> 


For example: 
CLI> verify soft-file OneOs.new 
file is OK 

Finally, rename the file: 


CLI> mv OneOs OneOs.old 
CLI> mv OneOs.new OneOs 
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3.7.2 Upgrading a ONE10 


Please read carefully the last section. On products were the flash space is limited (like the ONE10), the 
RAMDISK is extended so that a new OneOS can be downloaded in the RAMDISK; it is more secure to 
copy the new OneOS into the RAMDISK. Example: 


CLI> copy tftp://193.1.1.2/c:\tftp:\OneOs ramdisk: /OneOs.new 


Then verify the integrity of the downloaded file: 





CLI> verify soft-file ramdisk://OneOs.new 
file is OK 


Replace the old OneOS: 
CLI> copy ramdisk://OneOs.new flash: //BSA/binaries/OneOs 
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3.8 PASSWORD RECOVERY 


Password recovery is needed when local passwords stored on the router are lost. With the password 
recovery procedure, all users/passwords in flash memory are deleted and the ‘admin’/admin’ 
login/password become then valid. However, a full restore of factory settings is done, meaning that the 
router configuration is also deleted. To learn more about ‘Restoring Factory Settings', please consult 
26:8. 


Password recovery is done by entering the following key sequence: <ESCAPE>, then <CTRL>+Y and 
finally <CTRL>+N. 
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3.9 


3.9.1 


CONFIGURATION RECOVERY 


Introduction 


The router boots up with a default startup-configuration that could be loaded at factory and guarantees that 
the network can be reached. A new configuration is imported on the router flash and the router is rebooted 
with that new configuration. In the event of the new configuration is not satisfactory, the router should 
reboot with the configuration specified by the recovery mechanism. The new configuration must have the 
‘configuration recovery’ mechanism configured using the CLI detailed in this chapter. 


Telling that a configuration is not satisfactory is a generic term. The criteria to define a configuration as 
being invalid must be well defined; they are: 


e configuration causing the router to crash; 


e configuration causing the router not to reach a specific IP address (that should be the network 
management IP address; if this IP can be reached, we consider that the NOC (Network Operations 
Center) can still fix the configuration remotely in case of incomplete configuration execution); 


e SIP gateway registration fails. 


When the backup-configuration is set, bsaBoot.inf points to the backup-filename as long as the above 
backup criteria are not met. The backup instructions appear at the top of the ‘show running-config’; in 
other words, the configuration backup is done potentially before a faulty CLI command is executed. 


The backup-filename must fulfill the following conditions: 
e <backup-filename> exists, is not empty and has a file size that is less than 100 Kbytes 
e The file contains only valid ASCII characters (A-Z, a-z, 0-9, \r\n\t, all punctuation marks) 


e <backup-filename> contains the string “configure terminal”. That’s just a small check in 
order to make sure the backup file looks like a configuration file. 


The connection status is verified using ICMP echoes with a default timeout of 3sec and/or the SIP 
registration. At the first successful ping, the ping test stops. After the configured backup-configuration 
criteria are all met, “/BSA/bsaBoot.inf” is restored and points again to the running-config. 


If no successful ping is realized or no sip-gateway registration is realized or if the router crashes during 
configuration loading, the router reboots with backup-configuration. A notification message is generated to 
tell the final result of the ‘backup-configuration’ test. 


3.9.2 Configuration Commands 


First, the criteria to reboot with backup configuration must be defined within a check list: 

CLI (configure)> [no] checklist <name> 

CLI (config-chk-list) > 
Sending a ping to a destination can serve as backup criterion: if the ping fails, the router reboots with 
backup configuration. If the ping criterion is used, the next command must be entered 

CLI (config-chk-list)> ping target <ip-address> 
All the following parameters are optional. The initial delay before sending the first ping is by default 
60 seconds. To modify this value, enter: 


CLI (config-chk-list)> ping init-delay <seconds> 


Every ping is sent every 10 seconds; to choose another interval: 


CLI (config-chk-list)> ping retries-interval <seconds> 


By default, the source IP of ping packets takes the IP of the output interface. To force this IP: 











CLI (config-chk-list)> ping source <interface> <unit> 


The timeout to consider a ping test failed is 3 seconds. To remove the ping criterion: 
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CLI (config-chk-list)> no ping 


To use SIP gateway registration status as backup criterion, the command is: 





CLI (config-chk-list)> [no] sip-gw-registration 


Then, enter ‘exit’: 








CLI (config-chk-list)> exit 


The check list is an object whose status is OK or KO (the overall status is OK only if sip-gateway 
registration and ping tests are OK). The check list is then attached to a backup configuration element. If 
the checklist is not OK at the backup configuration timeout, the router reboots with the backup filename as 
start configuration. The configuration of backup configuration is as follows: 


CLI (configure)> backup configuration 
CLI (cfg-backup) > 


The checklist is attached / detached with the next command: 


CLI (cfg-backup)> { checklist <name> | no checklist } 


The default timeout is 180 seconds: 


CLI (cfg-backup)> timeout <seconds> 


The backup filename is entered with the command below: 








CLI (cfg-backup)> filename <path/name> 


Example: 


configure terminal 
! Start by setting the backup configuration 
backup configuration 
filename /BSA/config/mylastgood.cfg 
timeout 240 
check-list mylist 
exit 
! Then set the check-list configuration 
check-list mylist 
ping target 10.10.10.1 
ping init-delay 30 
ping retries-interval 30 
ping source bvi 3 
sip-gw-registration 
exit 
! Continue with my nominal equipment configuration 
(ace) 


exit 





3.9.3 Statistics 


CLI> show system backup configuration 
overall status: {not configured|test in progress|no configuration backup 


needed} 
check-list name: mylist 
[check-list status: {not existing|not configured|pending|unsuccessful | 


successful}] 


CLI> show chek-list [<check-list-name>] 

check-list: mylist 

-— ping init-delay: 30 

— ping retries-interval: 30 

—- ping source: bvi 3 

- ping target: 10.10.10.1 

- ping status: {not configured|pending|unsuccessful|successful} 

SIP gateway registration status: {not configured|pending|unsuccessful | 
successful} 


Page 3.9-40 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 





3.10 


3.10. 


3.10. 


SNMP BASED MANAGEMENT 


The device is manageable via the SNMP protocol, by means of its embedded SNMP agent. 


The device can be managed using three security models: SNMP v1, v2C or v3 protocol. The first two 
protocols provide a lower level of security, the latter offers the ability to authenticate and encrypt SNMP 
messages. 


To set the SNMP source IP address and trap source IP, use the following commands, in global 
configuration mode: 


CLI (configure)> snmp source { Loopback <lb-id> 
| Ethernet <slot>/<port>[.<vlan-if>] 
| FastEthernet <slot>/<port>[.<vlan-if>] 
| Atm <intf>.<port> 
| Serial <slot>.<port> 
| Bri <slot>/<port> 
| Any } 


CLI (configure)> snmp trap-source { Loopback <lb-id> 
| Ethernet <slot>/<port>[.<vlan-if>] 

| FastEthernet <slot>/<port>[.<vlan-if>] 

| Atm <intf>.<port> 

| Serial <slot>.<port> 

| Bri <slot>/<port> 

| Any } 

The MIB2 IfDescr MIB provides interface names with space between interface and unit (example: 
“fastEthernet 0/0”). To remove the space (“fastEthernet0/0”), the next command is available 
(default: no snmp mib-ifdescr short): 








CLI (configure)> [no] snmp mib-ifdescr short 


1 SNMP v1/v2 


To restrict access to device management data by using SNMP v1/v2, community names can be defined. 
The following command sets the community for read access: 


CLI (configure)> snmp set-read-community <r_community> [<acl_name>] 
[v2group <group-name>] 
[<community-encryption>] 


<community-encryption> is optional. When set to '0', the password is entered in clear text. When set 
to '1', the password is entered using the encryption algorithm #1. 
The next command sets the community with the read+write access: 
CLI (configure)> snmp set-write-community <rw_community> [<acl_name>] 
[<community-encryption>] 
By default, public community is used for read-only access, while private community is used for read-write 
access. To remove SNMP v1 and v2 access, use the following commands from the configuration mode: 


CLI (configure)> no snmp set-write-community 
CLI (configure)> no snmp set-—read-community 


SNMP v1 and v2 traps are configurable, provided that event managers are configured. For more 
information, go to the next chapter on traces and events. 


2 View-Based SNMP Access Control 


SNMP views can be configured to allow certain users to read, write or be notified for only certain parts of 


Page 3.10-41 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


the MIB tree. SNMP views are typically configured when a telecom operator wants to access all MIB while 
allowing its customers to only see part of the MIB tree (e.g. counters related to the LAN/WLAN interface). 


The default views are the following: 
e 'vldefault': all MIBs except the OID 1.3.6.1.6, i.e. the SNMP v3 objects 
e 6'v3default': all MIBs 


To configure an SNMP view, use the following command line: 


CLI (configure)> snmp view <view_name> <oid> { included | excluded } 
CLI (configure)> no snmp view <view_name> [ <oid> ] 





<oid> stands for the root Object ID in the MIB tree (is in the form a.b.c.d...). For example, the 1.3.6 OID 
stands for access to the whole Internet MIB. 'included' indicates that the objects part of this sub-tree are 
part of the view. 'excluded' means they are not visible. You can combine included and excluded sub- 
trees for the same <view_name>. It enables to define sub-trees that are globally visible, except few items 
in the sub-tree. 


SNMP groups give access-rights and authorization to a group of users. A group tells the minimum security 
level to use for users belonging to this group. To configure a SNMP group, use the following command: 


CLI (configure)> snmp group <group_name> { vl | v2c | v3 | v3auth | v3priv 
[read <view_name> ] [ write <view_name> ] [ notify <view_name>] 





CLI (configure)> no snmp group <group_name> { vl | v2c | v3 | v3auth } 


Then, the group is required when configuring SNMP v3 users (see next paragraph). 
To apply the SNMP view on a read/write V2C community, use the following command: 


CLI (configure)> snmp {set-read-community | set-—write-community} 
<community> [<acl_name>] v2group <group-—name> 


3.10.3 SNMP v3 


SNMP v3 manages three levels of security: 


e The lowest level of security provides the same level of security as in v1 or v2. A user name 
authenticates SNMP packets. 


e Amedium level of security provides authentication using one authentication algorithm: MD5 or SHA1. 
This technique ensures data integrity and data origin authentication. 


e The high level of security, in addition to authentication, provides encryption with DES algorithm. This 
permits privacy of management flows 


3.10.3.1 Basic Configuration 


To configure access to device management data by using SNMP v3, user names can be defined. Prior to 
configuring users, a unique engine ID must be defined. By default, engineId is based on the MAC 
address of FastEthernet interface. To configure a new engineld, use the following command in 
configuration mode: 


CLI (configure)> snmp engine-id <engineld> 
Warning: As user security parameters are associated with local enginelId, a change in the engineId 
automatically removes all configured users. 


To reset the default engineId, use the following command in configuration mode. As key material is 
tightly related to the enginelId, all users declared prior the change, have a wrong key material. It is 
strongly advised to reconfigure password for each user, so that user configurations become valid. 


CLI (configure)> default snmp-engine 


To create an SNMP v3 user, use the following command in configuration mode: 





CLI (configure)> snmp user <user_name> <group_name> v3 [auth { md5 | sha } 
<auth_password> | encrypted auth { md5 | sha } <priv_password>] 
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If nor authenticated nor encrypted accesses are chosen when configuring user, then the lowest security 
level is configured for that user. The chosen group security profile must match the user’s one: a group 
configured with the attribute v3auth can only be associated with users’ v3 authentication (without 
encryption. To remove a user, use the following command in configuration mode: 


CLI (configure)> no snmp user <user_name> v3 


Example: 


snmp group v3grp v3priv read view_all write view_all 
snmp view view_all 1.3 included 
snmp user v3user v3grp v3 encrypted auth md5 v3useruser 


Under Linux, the SNMP Walk command is: 


snmpwalk -v 3 -u v3user -a MD5 -A v3useruser -x DES -X v3useruser 
10.100.30.1 1.3 


SNMP v3 traps are configurable, using event managers. However, users need to be declared so that 
necessary security level is retrieved inside the agent. 


3.10.3.2 SNMP v3 Informs 


To send SNMP v3 informs, remote users and remote entities need to be known. For further information 
about this, read following chapter on SNMP v3 informs. 


Inform requests are notifications that have to be acknowledged by the remote SNMPV3 entity (the 
manager where informs are sent). When sending an inform request, the manager answers to the device 
management with a response PDU. This reply ensures the emitting OneOS-based routers that the 
notification reached its intended destination. 


SNMP v3 informs are sent with the associated security parameters of the remote manager that is to say, 
the remote engineld, and the associated user security parameters. 


There are several ways to know the remote engine ID. To retrieve the engineld, and its timing 
parameters from a remote IP address, use the following command in global configuration mode: 


CLI (configure)> snmp discover remote-agent <A.B.C.D> 
This command triggers a discovery process that sends SNMP ‘get request’ packets and waits for SNMP 
‘get responses’ from the remote entity. 


It is also possible to manually configure an engineld associated with an IP address with the following 
command in configuration mode: 


CLI (configure)> snmp engine-id <engineId> remote <A.B.C.D> [ max-msg-size 
<484-8192>] 


If the above commands are successful, the retrieved engineld is saved in a local configuration datastore 
(LCD). 


The LCD can be filled in dynamically when triggering the discovery process by sending an SNMP v3 
inform, or by configuring an SNMP v3 user. 


To delete a remote enginelId from the local configuration datastore, use the following command in 
configuration mode: 


CLI (configure)> no snmp engine-id <engineId> remote <A.B.C.D> 
The command below creates a SNMP v3 user with its remote IP address. A discovery process will retrieve 
the remote enginelId to get authentication or encryption keying material. 


CLI (configure)> snmp user <user_name> <group_name> v3 remote ip-address 
<A.B.C.D> [ auth {md5 |sha} <auth_password> | encrypted auth {md5 |sha} 
<priv_password>] 


To configure a user without triggering the discovery process, you can associate a user to the remote 
engineld by using the following configuration command: 


CLI (configure)> snmp user <user_name> <group_name> v3 remote engine-id 
<enginelId> [ auth {md5 |sha} <auth_password> | encrypted auth {md5 |sha} 
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<priv_password>] 


To remove a remote user from the local configuration datastore, use the following configuration command: 


CLI (configure)> no snmp user <user_name> v3 remote engine-id <enginelId> 
CLI (configure)> no snmp user <user_name> v3 remote ip-address <A.B.C.D> 


3.10.4 Miscellaneous 


At any stage of the configuration, information about the SNMP agent can be modified. To configure the 
location of the device, use the following command line: 


CLI (configure)> snmp location <text> 


To configure the person to contact, for managing the device, use the following command line: 


CLI (configure)> snmp contact <text> 


To configure a string that uniquely identifies the equipment, use the following command line: 





CLI (configure)> snmp chassis-id <text> 
By default, chassis-id is a MIB variable given by the manufacturer; this identifier is made up of the type of 
equipment followed by a serial number. 


In order to avoid IP fragmentation, the SNMP v1, v2 and v3 agent provides a command line to limit the 
maximum SNMP message packet size. Thus, if forged SNMP messages are greater than the configured 
packet size, an SNMP 'too big' message is sent to the manager. 


CLI (configure)> snmp max-message-size <size> 
SNMP v3 agent uses this maximum value to limit the size of outgoing SNMP packets. In addition, this 


maximum message size is sent in SNMP v3 queries, as the remote entity is not allowed to respond with 
messages greater than the size requested by initiator. 


To restore the default values, use the no form of the following command line: 


CLI (configure)> no snmp max-message-size 
3.10.5 Event Managers 


To add a SNMP manager (up to 10 managers are supported), use the following command in global 
configuration mode: 


CLI> event manager A.B.C.D [<port>] [vl | v2 | v3 | v3auth | v3priv ] 


[<user>] 


Where user is the community string for v1 and v2, and the username for v3, and port is the destination port 
for sending traps, v3auth and v3priv determine the security level to use for sending the trap that is to say 
that for sending traps in clear text with a digest inside, v3auth is needed. 


If neither port, nor version, nor user is chosen, then a manager will be created with the given address, with 
the community string public, version 2, and destination port 162. 


To remove a SNMP manager, just use the following command: 
CLI> event no manager A.B.C.D [<port>] [vl | v2 | v3 | v3auth | v3priv ] 
[<user>] 

To display the configured event managers, use the following command line: 


CLI> show event managers 
10.1.2.1:162 V2 "public" noAuthNoPriv 
10.1.2.1:162 V3 "admin" authPriv 


3.10.6 Adapting SNMP Traps 


By default, a SNMP trap is sent for the following events: cold/warm start, link up/down, authentication 
failures (bad SNMP communities). 
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To enable/disable such standard SNMP traps, use the following command: 


CLI(configure)> [no] snmp trap { standard | acl | bgp | ipsec | isakmp | 
isdn | nat | pstn | vrrp } 


3.10.7 Debugging SNMP 


You can use the following command to help you debug configuration issues with SNMP: 


CLI> debug snmp [ {packet | info | inform | error} ] 


The options provide the following information: 

e Packet: source/destination IP addresses of SNMP packets 
e Info: detailed information of SNMP packets 

e Inform: details about SNMP informs 


e —_ Error: protocol errors and warning (such as failing authentication) 


3.10.8 SNMP Statistics 


At any stage of the configuration, information about SNMP can be displayed. To display the statistics 
related to SNMP, use the following command line: 


CLI> show snmp statistics 

SNMP statistics: 

IN: 120 total 

0 bad version, community error: 0 bad name, O bad uses 

ASN parse errors, trap authentication enabled 

bad types, 0 too big, O no such name, 0 bad values 

read only, 0 gen error, 120 total req, O total set 

get requests, 120 get next, 0 set requests, 0 get responses 

unknown security models 

Q invalid, 0O unknown PDU handler, 0O unavailable context, 0O unknown 
context 

QO unsupported sec level, O unknown engine Id, 0O wrong digest, 0 
decryption error 

OUT: 126 total 

0 too big, O no such name, 0 bad values 

Q read only, O gen error 

QO traps, 120 get responses 


OO) CO -O::© 


Use the following clear command in global configuration mode to reset SNMP counters: 


CLI> clear snmp statistics 


To display the SNMP v1 and v2 configuration elements, use the following command line: 
CLI> show snmp community 
no SNMP write community configured 
SNMP read community: public 
To display the configured managers, use the following command line: 
CLI> show snmp managers 
10.1.2.1:162 V3 "guest1" noAuthNoPriv 
10.1.2.1:162 V3 "admin" authPriv 
To display the configured SNMP v3 engine ID, use the following command line: 


CLI> show snmp engine-id 
Local SNMP engineld: 
80003387030008005101001b 


To display the configured SNMP v3 users, use the following command line: 


CLI>show snmp users 
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user group EnginelId active 
admin private 80003387030008005101001b yes 
guestl public 80003387030008005101001b yes 





To display the configured SNMP v3 groups, use the following command line: 


CLI>show snmp groups 

groupname: public security mode:v3 no auth 
read view: all write view: <none> 

notify view: all state: active [nonvolatile] 


groupname: private security mode:v3 auth 
read view: all write view: all 
notify view: all state: active [nonvolatile] 


To display SNMP views configured, use the following command line 


CLI>show snmp view 

snmp view all 1.3.6 included - active [nonvolatile] 

snmp view videfault 1.3.6 included - active [nonvolatile] 
snmp view videfault 1.3.6.1.6 excluded activ [nonvolatile] 
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3.11 


3.11 


3.11 


TRACES AND EVENTS 


.-1 Introduction 


The equipment can provide event information about the interfaces and protocols on the CLI, console port, 
and in a log file managed by the file system. Some events can also generate SNMP traps. 


.2 Event Filters 


To read the events, filters must be defined. Each filter defines a family of events, a severity code and the 
output device (CLI, Console, file, SNMP trap, syslog). 


e CLI: displays the filtered events on the CLI session, from which the filters were created 
e File: records the filtered events in a file. 
e Console: shell/debug interface on the serial port 


e SNMP trap: upon occurrence of the selected events, the information will be sent to the SNMP 
manager as an SNMP trap. This mechanism permits the user to select specific events, which shall be 
monitored in the SNMP management system. 


e Syslog: the event is sent to a syslog server. 


Several filters can be simultaneously defined. When an event is matched by one the filters, the event is 
recorded. 


To add a filter: 


CLI> event filter add <group> <family> <all | subfamilies> [<type>] 
[<severity>] <action list> 





<group>: sys (for system), adm (management), wan (data interfaces), ip, vox (voice) 
<family>: depends on the selected group 

<subfamilies>: | depends on the selected family & group 

<type>: (optional) may be info, warning, error, fatal, event 

<severity>: (optional) 1 to 8 

<action list>: one or more of the following actions: DROP, LOG, SHOW, MEM, TRAP, SYSLOG 


List of possible actions (several actions can be configured simultaneously): 


iw) 


ROP: Event is suppressed. 
e OG: Event is recorded in a file. 


n 


HOW: Event is output on the console port (shell). 


e MEM: Event is stored in memory to be displayed on the CLI interface. 





e TRAP: Generation of SNMP v1 traps towards a SNMP manager that must be configured (see below). 


e SYSLOG: Generation of events to a SYSLOG server that must be configured. 


Example: 
CLI> event filter add sys GSHDSL ALL SHOW MEM LOG TRAP 


To show the current filters, enter: 





CLI> show event filters 
Filter 1: g:SYS f: +GSHDSL, sf: ALL, sever: All, 
type: All,action LOG+SHOW+MEM+, argument NONE 
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To remove all the filters, enter: 


CLI> event filter remove all 
To remove a specific filter (for example #2), enter: 


CLI> event filter remove 2 


3.11.3 Reading the Events 


The events are formatted as follows: 





<time> <date> <type> <group> <family> <subfamily> <text> 


Examples of events on a DSL uplink: 


15:21:48 28:09:2044 Info SYS GSHDSL EVT10 1 Gshdsl if=0 
new internal state ST_TIME 
15:21:58 28:09:2044 Info SYS GSHDSL EVT10 1 Gshdsl if=0 

new internal state ST_STRT 

15:22:31 28:09:2044 Event SYS GSHDSL EVT11 1 Gshdsl if=0 UP 





























If the SHOW action is selected, the events appear immediately on the console/debug interface. 





If the MEM action is selected, the events are recorded in memory and can appear on the CLI interface. This 
command must be entered to view the events: 


CLI> monitor events 


The screen is cleared before the events appear and it is no more possible to enter a CLI command. To 
return to CLI mode, enter ESC. 


If the LOG action is selected, the events are recorded in the file system (ramdisk device) in two files: 
eventl.log and event2.1log (event1.1log is used first and event2.1log is used when event1.log 
is full, etc.). The files can be uploaded in a TFTP server. 


CLI> devs ramdisk: 

CLI> 1s 

Listing the directory / 
tmp/ 512 

eventl.log 3021 
running-config 664 
event2.log 840 





To recover the events recorded in memory (filter defined with MEM action) after a crash and to display them 
on the CLI, enter: 


CLI> event recover show 


To recover from memory and save the events in a file (for example: tr1.log) after a crash, enter: 


CLI> event recover file trl.log 


3.11.4 System Logging 


The system logging is based on the same mechanism as the 'events' mechanism explained above. The 
following command activates the traces and determines the media where the traces are redirected (under 
configuration terminal): 


CLI(configure)> [no] logging { buffered | console | file | syslog } 
{ alerts | critical | errors | warning | notifications | information | 
debug } 


The first argument has the following meaning: 


e console: the traces are output on the console interface. 
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e buffered: the traces are stored in device memory. They can be displayed afterwards using the show 
logging command. This is the fastest procedure for redirecting traces, thus impacting less the 
device performances. When remotely connected using telnet, the monitor trace command allows 
viewing the traces on the fly at the same time when they are buffered. 


e file: the traces are recorded under ramdisk:/. First, traces are dumped into the file named 
tracel.log. When tracel.log is full, trace2.log is used. When trace2.1log is full, 
tracel.log is erased then re-created and new traces are written in this file. 


e syslog: the traces are sent to a syslog server. The syslog client configuration must be done. 
To insert a line-feed automatically for every syslog message: 


CLI (configure)> [no] logging syslog split-CRLF 


The second argument provides the level of details to filter traces, alerts being the least detailed filter and 
debug providing the most traces. 


To show the current logging options and to display the buffered logs, use the next command: 

CLI (configure)> show logging 
Example: a user wishes to view on the fly the debug traces for NAT from a telnet session. Here is the list of 
instructions to enter. 


CLI# configure terminal 

CLI (configure) # logging buffered debug 
CLI (configure) # exit 

CLI# debug ip nat 

CLI# monitor trace 


The memory buffer size can be increased/decreased if necessary (default size 16364 bytes). Note that the 
default value is nevertheless displayed in show running-configuration. 


CLI (configure)> logging buffered size <16364..65536 bytes> 


The log file size can be increased/decreased if necessary (default size 20000 bytes): 


CLI (configure)> trace logging max-filesize <200..20000 bytes> 


Every trace can be generated with the device date and time or the device up-time or the current time: 


CLI (configure)> [no] logging timestamp { datetime [msec] | time | uptime} 


With datetime the optional msec argument adds the milliseconds to the actual date and time. 
With t ime only the actual time is displayed. 


With uptime the displayed time is related to the device up-time. 


3.11.5 Configuration History 


This facility records all passed configuration commands since the router has rebooted. This logging is 
activated by default (stored in RAM memory). 
The history file size can be increased/decreased if necessary (default size 128 Kbytes): 


CLI (configure)> logging config-history max-size <10..256 Kbytes> 


Use the following command to de-activate the logging. Note that this command empties the history file. 


CLI (configure)> no logging config—-history 
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Use the following command to re-activate the configuration logging: 


CLI (configure) > logging config-history enable 


Use the following command to display the history of configuration commands file: 


CLI> show command-config 
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3.12 PING & TRACEROUTE 


3.12.1 Standard Ping 


It is possible to ping a device from the CLI: 


CLI> ping [-t] <dest. Address> [<source address>] 


Example: 
CLI> ping 220.13.1.3 20.13.0.10 





Typ scape sequence to abort. 
Sending 5 100-byte ICMP Echos to 220.13.1.3 from 20.13.0.10, 











timeout is 2 


seconds: 
yridd 
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms 
CLI> 
The options for the ping command are the following: 
-1 - Size of packet used for ping 
-n — Number of packets used for ping 
-v Type of service: [no-tos], low-delay, throughput, reliability, min- 


cost 
-£ - Set don't fragment flag 
-w - timeout in seconds to wait for each reply 


The source address is optional. If not provided the source IP address is the primary IP address of the ping 
output interface. The option -t enables a periodical ping, which can be stopped by entering Ctrl-C. The 
available range for the packet size is from 64 to 1500. The number of packets is restricted between 1 and 


15. The timeout can be configured between 1 and 60 seconds. 
3.12.2 Xping (Extended Ping) 


The xping command may be used to initiate several ping sessions for different targets. 


The command measures the minimum, average, round trip jitter and maximum ping response time. 


Command for creation of a new xping session: 


CLI> xping <session_name> 


Then, the xping session (called <session_name>) must be then configured. The following parameters 


are available: 


CLI(xping)> ? 
activate - Activate xping session. 
address Set target ip address. 





data-size - Set datagram size for the icmp packet. 
deactivate - Deactivate a session. 
exit - Exit xping mode. 








df-flag Sets the DF flag on outgoing packets 
dsfield - DS field for IPv4 








frequency - Set ping frequency (interval in seconds). 
probe-count Set the number of packets sent for each ping. 
show -— Display xping session configuration. 

source — Set source address. 

timeout Set request time out. 

<cr> 


CLI (xping) > 
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The source address is optional but must be a valid IP address if it has been specified. This command must 


be entered to view all the declared sessions in real time: 


CLI> monitor xping 


The screen is cleared and shows real-time statistics for all the configured sessions. To return to the CLI 


mode, enter ESC. 
The xping sessions are removed with the command: 


CLI> no xping <session_name> 
3.12.3 Trace Route 


The list of IP nodes from the device to a destination can be traced: 


CLI> traceroute <target> [<source_address>] 


Example: 
CLI> traceroute 220.13.1.3 20.13.0.10 





Typ scape sequence to abort. 
Tracing the route to 220.13.1.3 from 20.13.0.10 
1 20.13.1.3 2 msec * 2 msec 
Advanced options are available: 
CLI> traceroute -t 220.13.1.3 ? 








<source> Source address to use 

-1 - Packet size 

-i - Time to live 

-v Typ of service: [no-tos], low-delay, throughput, 
cost 


-£ - Set don't fragment flag 
-w —- timeout in seconds to wait for each reply 
<cr> 


reliability,min- 


The source address is optional. If not provided the source IP address is the primary IP address of the ping 
output interface. The option -t enables a periodical ping, which can be stopped by entering Ctrl-C. The 
available range for the packet size is from 64 to 1500. The number of packets is restricted between 1 and 


15. The timeout can be configured between 1 and 60 seconds. 
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3.13 TELNET, TFTP & FTP CLIENT 


3.13.1 Telnet Client 


A Telnet client is embedded in the OneOS for contacting another device: 


CLI> telnet <target> [<port>] [<interface> <unit>] 


A source address can be provided via the optional parameter <interface>. The interface parameter 
must be a valid declared interface, i.e.: 


e ethernet 0/0 
e fastethernet <intf>/<port> 
e loopback x 


e atm0O.x 


Example: 


CLI> telnet 20.13.0.3 
Trying 20.13 0.3.56 
Connected to 20.13.0.3. 
Exit character is '*]'. 





User Access Verification 
Password: 


3.13.2 Telnet Server 
A Telnet server is embedded in the OneOS to be contacted from another device. 
3.13.2.1. Attaching the Telnet Server to an Interface 


The telnet server is always on. Its source address is the one of the IP interface where the packets are 
routed. For example, if a telnet client connects from the LAN, the IP address used by the telnet server is 
the primary address of the Ethernet interface. To connect the Telnet server to a specific IP interface, enter: 


CLI> [no] bind telnet <interface> <unit> 


<interface> can be any IP interface such as: ethernet 0/0, fastethernet <intf>/<port>, 
atm 0.x, loopback. 


To un-bind the telnet from any interface, please enter the following command (default settings): 
CLI> bind telnet any 


Example for binding Telnet on the ATM IP interface 0.1: 





CLI> bind telnet atm 0.1 


After having entered the command, the Telnet server and CLI are only accessible using the IP address of 
the selected ATM interface. 


3.13.2.2 Restricting Telnet Access to a Pool of Hosts 


It is possible to restrict access to telnet clients by using a list of addresses standing for the list of permitted 
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source IP addresses. Use the following command in configuration line: 


CLI (configure)> [no] bind telnet acl <acl-name> 
3.13.2.3. Configuring the Telnet Server Timeout 


If a connected telnet client is inactive during a certain time, it is disconnected. By default, any inactive 
telnet client is disconnected after 10 minutes. (Warning: previous OneOS releases used to have a 60- 
minute timeout). 


To change the telnet timeout: 


CLI (configure)> telnet timeout <seconds> 


To restore the default timeout, use: 





CLI (configure)> default telnet timeout 
3.13.2.4  Disconnecting a Telnet User 
This procedure functions for console, telnet and SSH users. First, you must retrieve the session ID of the 


host you want to be logged off. To get the session IDs of all connected users: 


CLI> who 


Then, enter the following command to disconnect the user (you need to have the admin user level): 


CLI> clear vty-session <session-id> 
3.13.2.5 Logging the Telnet Connections 
Remote connections to the telnet server can be logged using the following command in global 
configuration mode: 
CLI (configure) > logging telnet enable 
For each connection, the user name (login), the originating IP address, the connection date and time, the 
disconnection date and time and the disconnection cause (logout or timeout) are logged. 


To stop logging the telnet connections use the following command in global configuration mode: 


CLI (configure)> no logging telnet 


The telnet logging is recorded under ramdisk:/. First, logs are dumped into the file named 
telnetl.log. When telnet1.log is full, telnet2.log is used. When telnet2.1og is full, 
telnet1.1log is erased then re-created and new logs are written in this file. 


The log file size can be increased/decreased if necessary (default size 8200 bytes): 


CLI (configure)> logging telnet max-filesize <82..8200 bytes> 


3.13.3 TFTP Client 


A standard TFTP client is embedded in the OneOS, which enables the downloading and uploading of files 
from a remote TFTP server. 


No configuration is needed. Refer to the copy command whose examples are described in this guide. 


3.13.4 TFTP Server 


A TFTP server is embedded in the OneOS, only to upload files to another device. Files have to be located 
in the /t ftpboot directory. The TFTP server can act as a TFTP relay to upload a file that is located on 
another TFTP server. 
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The TFTP server is disabled by default. To enable the TFTP server, use the following command in global 
configuration mode. Use the optional parameter to limit the access to a specific interface. 


CLI (configure)> [no] tftp-server [address <interface>] 


Use the no form of the command to disable the TFTP server. 


The TFTP relay is disabled by default. To enable the TFTP relay and define the address of the other 
server, use the following command in global configuration mode. 


CLI (configure)> [no] tftp-relay server { <IP-address> | <hostname> } 


Use the no form of the command to disable the TFTP relay. 


Note that the TFTP server must be enabled to have the TFTP relay working. 


3.13.5 FTP Client 
A standard FTP client is embedded in the OneOS, which enables the downloading and uploading of files 
from a remote FTP server. 
Command: 


CLI> ftp <host> [<source address>] 


Example: 


CLI> £tp 200.13.0.1 
username: admin 
password: 

CLI(ftp session) > 


The source address is optional but must be known by the equipment or the default IP address will be used. 
The following commands are available: 

e bye - Quit ftp session 

e cd- Change remote directory 

e is - List remote directory 

e get - Download file 

e lcd - Change local directory 

e ils - List local directory 

e §=put - Upload file 


e pwd - Current directory 
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3.14 SSH - SECURE SHELL 


3.14.1 Features 
3.14.1.1_ Secure Encrypted Communications 


Secure shell or SSH is both a computer program and an associated network protocol designed for logging 
into and executing commands on a networked computer. SSH design was aimed at replacing the earlier 
rlogin, telnet and rsh protocols by a secure protocol providing encrypted communications between two 
hosts over an insecure network. 


OneOS SSH server is compatible with the version 2. 
3.14.1.2 Strong Security 


The SSH daemon supports 3DES and AES as encryption algorithms. 


While 3DES is a proven and well-understood ciphering algorithm, AES is a higher performance block 
ciphering algorithm created by the US Federal Information Processing Standard (FIPS), and developed as 
a replacement for DES. 


3.14.1.3 Strong Authentication 


Strong authentication using public keys protects against several security problems, such as IP spoofing, 
fakes routes, and DNS spoofing. Authentication of the SSH peers is realized via public DSA keys. DSA 
keys were introduced in SSH version 2. But the user authentication at login time is done like any telnet 
session: based on the local password database, or through RADIUS or TACACS+ servers. 


Note: unauthorized connection attempts are subject to blacklisting (see 3.27). 
3.14.1.4 Remote "exec telnet" command 


The SSH server supports remote "exec telnet" commands. This means that an SSH client opens an SSH 
session to the OneOS-based router that relays the data in the SSH session to another device via a local 
telnet session between the OneOS-based router and the other device. This is typically used to manage via 
a secure SSH connection over the Internet a device behind the access router, e.g. an IP telephone. As the 
IP telephone has a private LAN address, it is not directly reachable over the Internet (except when 
specifically configured in NAT). SSH remote command is a very useful tool to manage such devices over 
the network without needing to change the access router configuration. 


3.14.2 Configuration 
3.14.2.1 Generating the Authentication Keys 


As SSH daemon requires a public key to authenticate versus remote host, it is mandatory to generate a 
public key pair. Use the following command in global configuration mode to create a Digital Signature 
Algorithm key (the last argument is the key length in bits): 


CLI (configure)> crypto key generate dsa { 256 | 512 | 1024 | 2048 } 


To remove the generated DSA key, use the following command: 


CLI (configure)> crypto key zeroize 


3.14.2.2 Starting the SSH daemon 
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SSH is disabled by default. To start the SSH daemon, use the following command in configuration mode: 


CLI (configure)> ip ssh enable 
3.14.2.3. Stopping the SSH daemon 


To stop the SSH daemon, use the following command in configuration mode: 


CLI (configure)> ip ssh disable 
3.14.2.4. Configuring the SSH Server Timeout 


If a connected SSH client is inactive during a certain time, it is disconnected. By default, any inactive SSH 
client is disconnected after 10 minutes. 


To change the SSH timeout in seconds, use the following command: 
CLI (configure)> ip ssh timeout <120-4294967295> 


3.14.2.5 Configuring the SSH Server Authentication Timeout 
If an SSH client is in the authentication phase and it is inactive during a certain time it is disconnected. By 
default, any inactive SSH client doing an authentication is disconnected after 2 minutes. 


To change the SSH authentication timeout in seconds, use the following command in configuration mode: 


CLI (configure)> ip ssh auth-timeout <5-120> 
3.14.2.6 Configuring the SSH Server Authentication Retries 


By default, the authentication retries number is 3. To change this value, use the following command in 
global configuration mode: 


CLI (configure)> ip ssh auth-retries <retries> 
3.14.2.7 Attaching the SSH Server to an Interface 


To attach the SSH server to a specific interface use the following command: 


CLI (configure)> bind ssh { loopback <lb-id> 
| bri <slot>/<port>[.<vlan-if>] 
| fastEthernet <slot>/<port>[.<vlan-if>] 
| tunnel <intf>.<port> 
| any } 


To permit SSH access from any interface, which is the default configuration, use the following command in 
global configuration mode: 


CLI (configure)> bind ssh any 
3.14.2.8 Restricting SSH Access to a Pool of Hosts 


It is possible to restrict access to SSH clients by using a list of addresses standing for the list of permitted 
source IP addresses. Use the following command in configuration line: 


CLI (configure)> bind ssh acl <acl-name> 
3.14.3 Statistics 
Use the following show command to display the list of current SSH sessions and related parameters: 
CLI> show ssh 


Connection Remote port Username Algorithm used 
192.168.2.133 2345 admin dsa-3des 


Use the following show command to display the list of current SSH sessions and related parameters: 
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CLI> show ip ssh 

SSH Enabled 

Authentication timeout 120 secs, retries 3 
Session timeout 120 secs 


Use the following debug command, to enable SSH debug: 


CLI> debug ip ssh 
CLI> no debug ip ssh 





3.14.4 Configuration example 


The following example show the process to create a host dsa public key, followed by the running of SSH 
daemon. 


configure terminal 

crypto key generate dsa 512 
ip ssh enable 

ip ssh timeout 600 

ip ssh auth-timeout 30 

ip ssh auth-retries 2 


3.14.5 Remote SSH illustration 
The following shows how to connect from a UNIX machine to the device with (local) address 192.168.1.4 
behind a router with address 170.20.52.58. 


OneOS-based Terminal 
router 





























SSH Telnet 
+t 


At the SSH client console (UNIX machine): 


#ssh admin@170.20.52.58 -t telnet 192.168.1.4 


admin@170.20.52.58's password: <- SSH authentication 
Trying 192.168.1.4 ... Open 
Password: *****x*x* <- telnet authentication 


<Device identification> 
SIP Phone> <- telnet prompt 
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3.15 


CAPTURING PACKETS 


The “capture” command enables the user to observe and to decode incoming and outgoing traffic on 
logical devices (a device is a filter applied on one interface). 


The process is first to define a filter to determine the protocol to decode, then to attach the filter to an 
interface giving a logical device, and lastly, to start the decoding. 


To define the filters and the devices, enter in capture mode: 
CLI> capture 
CLI (capture) > 

To define a filter, use the command: 
CLI(capture)> [no] filter { all | arp | icmp | ip | rarp | tcp | udp } 
[sre <src-address> [sport <src-port>]] [dst <dest-address> [dport <dest-— 
port>]] [type <icmp-type>] [reflexive] [caplen <bytes>] 

When reflexive is set then capture is done in both directions. 


To limit performance impact of capture, the captured packets are truncated to the caplen value and 
displayed and stored that way in the capture file (caplen range is from 32 to 2048 bytes; default value is 
68 bytes). 


The capture tool makes it possible to capture the 802.11 frames: 
CLI (capture)> [no] filter dot11 <macaddrl> [<macaddr2>] [data | control | 
management] [caplen <bytes>] [exclude <type> <sub-type>] 
The filter matches all the options (macaddr1, macaddr2, and frame type) that are presents. If the frame 
type (data, control, or management) is not present, all frames are captured. 
Examples: 
CLI (capture)> filter dot11 11:22:33:44:55:66 data 
CLI (capture)> filter dot11l management exclude 0 8 
The exclude option is an optional parameter and could be set to exclude some frames regarding to their 
type and sub-type. 
When a filter is created, it is identified by a number. To show the list of £ilter-—id, use the command: 


CLI (capture)> show filters 


To define a device by attaching the previously defined filter to an interface: 
CLI (capture)> [no] attach <filter-id> { ethernet | fastethernet | atm | 
~} <interface-port> 

When a device is created, it is identified by a number. To show the list of device-id, use the command: 


CLI (capture)> show devices 


To start and optionally display the traffic capture, use in global mode the command: 
CLI (capture)> exit 
CLI> monitor capture <device-id> [console | file <filename>] [verbose <0- 
3>] 

Use the ESC key to stop the monitoring. 

By default, the captured packets are displayed on console. 


The file output is in pcap format, compatible with TCPDump and other protocol analysis tool such as 
Ethereal. 
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The verbosity of the capture decoder can be 0 (normal), 1 (detailed), 2 (hexadecimal normal), and 3 
(hexadecimal detailed). 


LI> capture 

LI (capture) > 

LI (capture)> filter arp 

LI(capture)> filter all 

LI (capture)> show filters 

1. arp [caplen=68] 

2. all [caplen=68] 

capture) > 

capture)> attach 1 fastethernet 0/1 
capture)> attach 2 fastethernet 0/1 
capture)> show devices 

arp on FastEthernet 0/1 [caplen=68] 
2. all on FastEthernet 0/1 [caplen=68] 
CLI (capture) > 

CLI (capture)> exit 

Cc 


aaaq 








LI> 
CLI> monitor capture 2 console verbose 1 
13:15:03.239326 200.13.0.1.1135 > 200.13.0.10.23 ; [tcp sum. ok] 
ack 8912395 win 7597 (DF) (ttl 128, id 47965, len 40) 
<ESC> 
CLI> 
CLI> capture 
CLI (capture) > 
CLI (capture)> no attach all 
CLI (capture)> show devices 


No capture devices defined 
LI (capture) > 

LI(capture)> no filter all 
LI (capture)> show filters 
No capture filters defined 
LI (capture) > 

Li (capture)> exit 

LI> 


ome n@) 


(=) 





Q 





Q 
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3.16 SY 


3.16.1 Checki 


STEM 


ng CPU load 


INDICATORS 


Use the following command to check the current system load. Current means "during the last second". The 


non critical tasks are the non real time tasks like SNMP, Web server, etc. 


CLI> show system status 


System Informations for device Onel100 S/N F0601000008 
ONEOS4-VOIP_SIP-V4.2R4] 


Sof 
Sof 
Boo 
Boo 


Cur 
Sys 
Sta 
Sys 
Sys 
Cur 


Current Critical Tasks CPU load 
Current Non Critical Tasks CPU load 


tware version 
tware created on 
t version 

t created on 


rent system time 
tem started 

rt caused by 

Up time 

tem clock ticks 
rent CPU load 











06/11/08 17:03:08 





BOO 


4-SEC-V3. 6R2E16 
01/07/08 11:13:13 








04/12/08 14:50:48 
04/12/08 14:50:00 


Power Off 


(Dying Gasp) 


Od Oh Om 48s 





2431 
3.8% 


oe 


MeN 
foe) 
oe 


E2_ V26A 


Use the following command to display the system load history. The CPU load is given for the last minute, 
the last hour and the last three days. For the last hour and the last three days, the maximum and average 
values are given. 


CLI> show processes cpu history 


System Informations for device One1l00 S/N F0601000008 
HHHHHHHHHHEHHHE GLOBAL CPU LOAD (last 60 Seconds) #######H##HFEHEHE 


lo 25' 12 164 


al 


444434443354335444444344633363333384424122204120000000000030 


100 
90 
80 
70 
60 
50 
40 
30 
20 
10 


CPUS per second 


* x 
* * 
* * 
KKOO* ** 
KR KK OK kk 
3 24, 4 
5 0 5 


(last 60 seconds) 


+k kk CRITICAL CPU LOAD (last 60 Seconds) ********kKKKHE 


de 25.512 164 


1 


222222222222223222222222522242222070124011204120000000000030 
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100 
90 

80 

70 

60 * 

50 * * 

40 * kk 

30 * kK* 

20 kk * kK* 

10 KaKKkK KK KKK * 


CPUS per second (last 60 seconds) 


+k kkk KK KKK NON CRITICAL CPU LOAD (last 60 Seconds) ********#* 


111111111121112111111111111111111314200000000000000000000000 


100 
90 
80 
70 
60 
50 
40 
30 
20 
10 


CPUS per second (last 60 seconds) 


HHHHHHHHHHHHHH GLOBAL CPU LOAD (last 60 Minutes) #######H##HHHHHHH 


000000000000000000000000000000000000000000000000000000000000 


100 
90 
80 
70 
60 
50 
40 
30 
20 
10 


CPUS per minute (last 60 minutes) 
* = maximum CPUS # = average CPUS 


xk KKK KKK CRITICAL CPU LOAD (last 60 Minutes) ****#***k KKH 


000000000000000000000000000000000000000000000000000000000000 


100 
90 
80 
70 
60 
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50 
40 
30 
20 
10 


CPUS per minute (last 60 minutes) 
* = maximum CPUS # = average CPUS 


Jodeci cccekee NON CRITICAL CPU LOAD (last 60 Minutes) *****kkkee 


000000000000000000000000000000000000000000000000000000000000 


100 
90 
80 
70 
60 
50 
40 
30 
20 
10 


CPUS per minute (last 60 minutes) 
* = maximum CPUS # = average CPUS 


HHHHHHHRHRHRHRHHHEH GLOBAL CPU LOAD (last 72 Hours) #########HHHHHREH HH 


000000000000000000000000000000000000000000000000000000000000000000000000 


100 
90 
80 
70 
60 
50 
40 
30 
20 
10 


CPU% per hour (last 72 hours) 
* = maximum CPUS # = average CPU% 


FOO dicnckccek CRITICAL CPU LOAD (last 72 Hours) **##RRKKKKKKK KKK KK 
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20 
10 


CPU% per hour (last 72 hours) 
* = maximum CPUS # = average CPUS 


FOO ccceee® NON CRITICAL CPU LOAD (72 Hours) (* 0k 
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* = maximum CPUS # = average CPUS 


3.16.2 Checking Memory & Flash spaces 


The system memory can be viewed with the following command: 


CLI> show memory 




















Memory status report Kbytes 
Ram size 65 536 
:..Program 27 186 
:..code 18 476 
:..data 8 709 
:..Static buffers 192 
:..Dynamic total 34 974 

Sa 2 used 13 909 39.7% 

: free 21 065 60.2% 
:..System total 19 806 

: used 5 610 28.3% 

: free 14 196 71.6% 
:..Data total 15 167 

used 8 299 54.7% 

: free 6 868 45.2% 
:..Ram disk total 1 1OF1 

used 5 0.5% 

free 1 006 99.6% 
Flash size 2 048 
I BOOK 1 024 
:..Static areas 48 
Extended Flash size 32 768 
:..Flash disk total 32 306 

used 9 408 29.1% 

free 22 898 70.8% 
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3.16.3 Checking Reboot Causes 


To check the reasons why the router did reboot, some reboot commands are available. The following 
command provides the last reboot cause (warning: under certain circumstances, the reboot cause may not 
be determined): 


CLI> show reboot cause 


To check the reboot counters per cause: 





CLI> show reboot counters 
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3.17 


3.17. 


3.17. 


GLOBAL STATISTICS 


An embedded tool is provided to display global statistics with a refresh period of one second. 
The CLI command is: 


CLI> monitor ? 
global-statistics - Display system global informations 
CLI> monitor global-statistics 


This command opens a first summary screen. The navigation between the screens is done by typing keys 
shown at the bottom of each screen, i.e.: 


<Q>: to quit 

<R>: to go to the IP routing screen 

<W>: to access the PVC screens 

<ESC>: to quit or to go back to the previous screen 
<1-2..>: access to detailed screen for PVC number 1 or 2 





Several screens are defined: 
e Summary screen: 


The top screen displays information about CPU load, memory availability, and status of ATM and Ethernet 
ports. 


e IP route screen: 

It shows the IP routing table. 

e WAN information screen: 

It shows the ATM traffic on the G.SHDSL and also a summary of the declared PVC. 
e PVC detailed screen: 


It shows details for each declared PVC. 
1Summary Screen 


01/02/2000 07:25:50 Uptime: 0 days 07:25:47 one60_13 CPU 3% 

System memory: 8301kB total 3425kB( 41%) allocated 4876kB( 58%) free 
Reserved memory: 7999kB total 4664kB( 58%) allocated 3335kB( 41%) free 
FastEthernet0O 

up IP not configured 

OkB/s in OkB/s out 2pkt/s in 2pkt/s out 

Atm0 

up configured G.SHDSL up CONN Data Rate: 2304kb/s 

4cells/s in 4cells/s 
I 
[ 





P forwarding enabled 7 total routes 3 static routes 
ESC], [Q]-Quit [R]-IP routing table [W]-WAN information 





21P Routes 


01/02/2000 07:26:02 Uptime: 0 days 07:25:58 one60_13 CPU 6% 
Proto Destination Mask Gateway Interface 

C-040..0.1. 255.255.255.255 Nullo 

C 20.14.1.3 LoopbackO 

C 20.14.1.4 Atm0.2 

C 127.0.0.1 LoopbackO 
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C 200.13.0.0 255.255.255.0 FastEthernet0 
C 200.13.0.0 255.255.0.0 FastEthernet0 
C 200.19.0.0 255.255.0.0 Atm0.2 








ESC]-Back [Q]-Quit 





3.17.3 WAN Detailed Screen 


01/02/2000 07:26:15 Uptime: 0 days 07:26:12 one60_13 CPU 6% 
Atm0 

up configured 

Traffic(cells/s): now: 4 in 4 out 

1l-min: 14 in 7 out 

Total cells: 363277 in 196322 out 0 discarded 0 HEC errors 
G.SHDSL up CONN Data Rate: 2304kb/s adaptive (192-2304 K) 
MIB status:noDefect 
Noise mrg: 38,4 dB Tx power: 8,5 dB Rx gain: 5,2 dB 
IF VCI VPI Type Status Encaps QOS PCR SCR MBS in out 
kbps kbps cells kbps kbps 

1. 20201 0 33 pppoa up aal5/mux UBR 2300 0 0 











[1 - 1] - Pvc [ESC]-Back [Q]-Quit 





3.17.4 PVC Screen 


01/02/2000 07:26:17 Uptime: 0 days 07:26:13 one60_13 CPU 3% 
Atm0 

up configured 

Traffic(cells/s): now: 4 in 4 out 

1l-min: 14 in 7 out 

Total cells: 363281 in 196326 out O discarded 0 HEC errors 
G.SHDSL up CONN Data Rate: 2304kb/s adaptive (192-2304 K) 
MIB status:noDefect 

Noise mrg: 37,7 dB Tx power: 8,5 dB Rx gain: 5,2 dB 








IF VCI VPI Type Status Encaps QOS PCR SCR MBS in out 
kbps kbps cells kbps kbps 

1. 20201 0 33 pppoa up aal5/mux UBR 2300 0 1 

[1 - 1] - Pvc [ESC]-Back [Q]-Quit 
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3.18 USER MANAGEMENT 


An embedded database is provided to declare the users allowed to access the equipment and to define 
their access rights. 


Each user has a username, a password and belongs to a group. 


The username is a 15-character long string; the password is a 32-character long string. Both contain any 
character except "?", "!" and "space". 


Note: It is possible to use the above-mentioned characters by placing the character string between 
quotation marks (") or between apostrophes (’) if the quotation mark is part of the string. 


Three groups are pre-defined and map three levels of access rights: 


e User (level 0): only access to elementary show functions or diagnostics functions such as ping 
(configuration in read-only mode) 


e Manager (level 7): access to all show functions, traces and configuration functions 


e Administrator (level 15): access to all functions including shell (for system debugging) 


The user database is managed via CLI commands: 


CLI> user ? 
add - Add a new user 





change-access Change the access level for a specific user 
change-password - Change password for a specific user 
delet Remove a user 








drop Change the user access level to a lower one 
password —- Change own password 


3.18.1 User Creation/Deletion 


To add a user, use the command: 


CLI> user add ? 

<login> - Username to create 

CLI> user add pk ? 

<password> - Password for the new user 

LI> user add pk passl ? 

group> - Access group for the user { user | manager | administrator } 
0..15> - User level 

LI> user add pk passl manager 

LI> 





CeOK. AcQ: 


To remove a user in the database: 


CLI> user delete ? 





<login> - User name 
CLI> user delete pk 
CLI> 


3.18.2 Password Management 


A user can change its own password: 


CLI> user password ? 
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<password> -— Change own password 
CLI> user password adminl 


Or to change the password of a specify user: 


CLI> user change-password pk3 ? 
password> —- New password 

LI> user change-password pk3 passw2 
LI> 





< 
Cc 
Cc 
3.18.3 Access Right Management 


The group (access rights level) may be changed for a specific user: 


CLI> user change-access ? 

<login> - User name 

CLI> user change-access pk ? 

<group> - Access group { user | manager | administrator } 
<0..15> - User level 

CLI> user change-access pk manager 

CLI> 


The access level can be also dropped to a lower access rights level for the current user during the opened 
session with the command: 


CLI> user drop ? 

<groups> - Access group (user|manager|administrator) 
<0..15> - User level 

CLI> user drop manager 

CLI> 
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3.19 CONFIGURATION OF COMMAND ACCESSIBILITY PER 
USER PRIVILEGE 


The purpose of this feature is to allow an administrator to customize the list of commands that can be 
accessed by a non-administrator user. By default, three user privilege levels are defined and mapped to 
TACACS+ privilege levels: user (TACACS+ privilege level = 0), manager (7) and administrator (15). Each 
CLI command has its own privilege level. If the user privilege level is greater than or equal to the command 
privilege, the user is allowed to use the command. For example, the ‘ping’ command has the privilege 0. If 
this privilege is raised, a user having the privilege level ‘user’ (i.e. privilege level = 0) cannot access the 
ping command. 


3.19.1 Configuration 


Under the configuration terminal, the privilege level of a command is defined as follows: 


CLI (configure)> privilege exec level <level> <command string> 


<level> is an integer, ranging from 0 to 15 representing the new privilege of the command. <command 
string> are the keywords designating a command or the beginning of a command whose privilege level 
is modified. The command can be found outside the ‘configure terminal’. 


To reset the default privilege level, use the following command: 


CLI (configure)> privilege exec reset <command string> 


Similarly, the command ‘privilege configure’ applies only on commands listed under ‘configure 
terminal’. To configure the privilege level of a ‘configure’ command (respectively to reset its level), use 
the next commands: 


CLI (configure)> privilege configure <level> <command string> 





CLI (configure)> privilege configure reset <command string> 


Lastly, there are configuration-commands that are duplicated under several leafs of the CLI tree. That is 
especially the case of interfaces. To configure accessibility of specified commands under an interface type, 
use the following command: 
CLI (configure)> privilege { if-atm | if-bri | if-pri | if-ethernet | if- 
fastethernet | if-loopback | if-pstn | if-tunnel | if-va | if-vt | dhcp | 
rtr | router-rip | router-ospf | router-bgp } <level> <command string> 


CLI (configure)> privilege { if-atm | if-bri | if-pri | if-ethernet | if- 
fastethernet | if-loopback | if-pstn | if-tunnel | if-va | if-vt | dhcp | 
rtr | router-rip | router-ospf | router-bgp } reset <command string> 


Nota: i £-va stands for virtual-access and if-—vt for virtual-template. 


Reminder. To view the current user privilege, use the ‘show privilege’ command. 


Example: to allow a user of level 0 to change the IP address of the Fast Ethernet ports. 


privilege exec level 0 configure terminal 
privilege configure level 0 interface fastethernet 
privilege if-fast level 0 ip address 
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3.20 


BANNER 


A banner is a text that is displayed when a user: 
e Attempts to login: a text is displayed before the prompt for login and password is shown. 
e Has successfully logged in: another text information can be displayed 
The configuration syntax is the following, beginning in global configuration mode: 
CLI (configure)> banner { exec | motd } *<string>* 
exec is for the text displayed in the second case, whereas motd is for the text displayed when attempting 
to connect. 


The <string> is delimited by stars and contains any character and can be up to 230 characters long. 
Carriage return must be entered as ‘\r\n’. For example, the following command line: 


‘banner exec *###HHHHHHHHREFFEETER RTH ERTH REEL \n\r\n OneOs Router\r\n 
\x\nadt ft at a aE aE a HE aE a aE aE a aE HE Ea EE BAR 


Will output: 

HEHE 
OneOS Router 

FAB 
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3.21 


3.21 


3.21.1. 


AAA (AUTHENTICATION, AUTHORIZATION AND 
ACCOUNTING) 


Instead of maintaining usernames and passwords inside the device, usernames and passwords can be 
centrally managed in a database. Whenever a user needs to log in, the database server is queried and 
authenticates users’ logins. Either the RADIUS or the TACACS+ protocol can be used to securely send 
login/password in access requests and returns authentication. 


A user can access to the device configuration interface in two steps: 


1. Authentication: The user login/password is checked in the RADIUS/TACACS+ database. The login and 
password are provided at the beginning of the telnet/console CLI session. If an access is granted, the user 
gets a user privilege (if configured on the server). The privilege can be increased by using the ‘enable’ 
command. Entering this command will make the router query the AAA server again. 


2. Authorization: when a command is entered, the CLI looks up the command privilege. If the configuration 
is such that this privilege requires authorization the command is submitted to the AAA server for 
authorization. The AAA server returns an access authorization or deny. 


The accounting feature is not supported in this release. 
Three levels of access rights have been defined: 


e User: only access to elementary show functions or diagnostics functions as ping (configuration 
in read-only mode). He has the level 0. 


e Manager: access to all show functions and configuration functions. He has the level 7. 


e Administrator: access to all functions including debug. He has the level 15. 


AAA configuration can be divided in two steps: 


1) Configure the list of RADIUS or TACACS+ servers (See RADIUS Authentication and TACACS+ Client). 
If you configure one or more servers of the same type, you may not have to configure any 'AAA' 
commands: by default, the device is then configured to authenticate and authorize any login from the 
console or telnet access via the configured TACACS+ or RADIUS server(s). 


2) If you need to make more advanced AAA functions, then configure AAA. (See AAA Configuration) 


-1 RADIUS Authentication 


The RADIUS protocol (Remote Access Dial-In User Service) allows transmitting securely user 
names/passwords and authenticating the user by means of a RADIUS server, which maintains a users list 
with their access rights. 


The embedded RADIUS client is configured with CLI commands. 
1 RADIUS Client Configuration 


Prior to configuring the RADIUS client, the user must enter the configuration mode: 


CLI> configure terminal 


The available commands to configure the client are: 





CLI (configure) > radius-server <RADIUS-server-ip> [<RADIUS-UDP-port>] 
<shared-key> [ <interface> <unit> ] 


The optional arguments <interface> <unit> provide the source address, which can be loopback 32 
for example. 
Example: 


CLI (configure)> radius-server ? 
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<host> - IP address of RADIUS server 

CLI (configure)> radius-server 120.1.4.5 ? 

<auth-port> - UDP port for RADIUS authentication server 
(default is 1812) 

<key> - Encription key shared with the server 

CLI (configure)> radius-server 120.1.4.5 1813 key23 

CLI (configure)> radius-server 120.1.4.6 key24 

CLI (configure)> exit 





The following command enables to view the settings to connect to the RADIUS server: 
CLI> show radius-server 


List of Radius server ----- 


IP address Port number Secret Key 
120.1.4.5 1813 key23 
120.1.4.6 1812 key24 


To disable the Radius client, use the no prefix: 


Q 


LI> configure terminal 

CLI (configure)> no radius-server 120.1.4.5 1813 
CLI (configure)> no radius-server 120.1.4.6 key24 
CLI (configure)> exit 

CLI> show radius-server 

No Radius server declared 

CLI> 





3.21.1.2 RADIUS Server Configuration 


3.21 


The RADIUS server must be configured to define users and access rights (user, manager, administrator). 
The example given below shows the configuration files for the FreeRadius Server (www.freeradius.org): 


In the file: /usr/local/etc/raddb/dictionary, add the line: SINCLUDE dictionary.oneaccess. 





In the directory /usr/local/etc/raddb/ 
Create the file dict ionary.oneaccess, which contains the access right definition: 


VENDOR OneAccess 13191 
ATTRIBUTE OA-User-Level 1 integer OneAccess 
VALUE OA-User-Level user 40 

The levels must be respected to properly work with the client. 














In the file /usr/local/etc/raddb/users, add the users as follows (here router, test, oneaccess): 


test Auth-Type := Local, User-Password == 'test' 
OA-User-Level=user 
Then, configure the passwords required by the enable command. For example, for the administrator level: 





Senab15$ Auth-Type := Local, User-Pasword == !****x*xx! 


In the file /usr/local/etc/raddb/clients.conf, add the following in order to identify the client (e.g. 
an OneOS-based router with 192.168.2.60 as IP address) and the shared secret key: 


client 192.168.2.60{ 
secret = key23 

shortname = 192.168.2.60 
} 


.2 TACACS+ Client 


TACACS+ is an authentication protocol based on TCP, which allows a network access server to offload 
the user administration to a central server, which maintains a users list with their access rights as for a 
Radius server. When a user logs in the device (using telnet), the login/password couple is sent to that 
server using the TACACS+ protocol. If the user name and password are found in the TACACS+ server 
database, the access is granted to that user. In addition to that authentication service, the TACACS+ 
server can respond with additional parameters, including access rights. 


Three levels of access rights have been defined: 
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e User: only access to elementary show functions or diagnostics functions as ping (configuration in 
read-only mode) 


e Manager: access to all show functions and configuration functions 
e Administrator: access to all functions including debug 
"TACACS" means "Terminal Access Controller Access Control System". 


TACACS+ is not compatible with other protocols of the TACACS family such as TACACS or XTACACS. 
The embedded TACACS+ client is configured by means of CLI commands. 


3.21.2.1. TACACS+ Client Configuration 


Prior to configuring the TACACS+ client, the user must enter the configuration mode: 


CLI> configure terminal 


The available commands to configure the client are: 


CLI (configure) >tacacs-server <host> [<port>] <key> [ <interface> <unit> ] 


The optional arguments '<interface> <unit>' provide the source address, which can be 
‘loopback 32' for example. When the user enters ‘enable’ or ‘enable 15’, an authentication for enable 
is sent. This message contains the username and the desired privilege level. The server should prompt for 
a password and compare the response with the password configured for the user Senab15$. The 
username is by default the username provided at login. But it could be changed so that username is 
Senab15S. To force the use of the username: 





CLI (configure)> no tacacs use-username 


Example: 


CLI (configure)> tacacs-server ? 

<host> - IP address of TACACS+ server 

CLI (configure)> tacacs-server 1.2.3.4 ? 

<auth-port> - TCP port for TACACS+ authentication server (default is 49) 
<key> - Encryption key shared with the server 

CLI (configure)> tacacs-server 1.2.3.4 477 iopme 

CLI (configure)> tacacs-server 1.2.3.5 iopmeu 

CLI (configure) > 


The following command enables to view the settings to connect to the TACACS+ server: 
CLI> show tacacs-server 
List of TACACS+ server 
I P address Port number Secret Key 


1.2.3.4 477 iopme 
1.2.3.5 49 iopmeu 





To disable the TACACS+ client, use the 'no' prefix: no tacacs-server <host> [<port>] 


CLI> configure terminal 

CLI (configure)> no tacacs-server 1.2.3.4 
CLI (configure)> no tacacs-server 1.2.3.5 
CLI (configure)> exit 

CLI> show tacacs-server 

No TACACS+ server declared 

CLI> 


477 


3.21.2.2 TACACS+ Server Configuration 
3.21.2.2.1. With Enable Passwords 


The TACACS+ server must be configured to define users and access rights (user, manager, and 
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administrator). 


On the free TAC_PLUS server, the configuration looks so for a user login: 


user = henry { 
login = cleartext mypassword 


} 


Then, you can configure the passwords for level 0 (user), level 7 (manager), level 15 (administrator). 


User = Senab0S { 
login cleartext ****x*xxx 


} 


User = Senab7$ { 
login cleartext ****xxxx 


} 
User = Senab1i5$ { 


login cleartext ****xxxx 


} 


3.21.2.2.2 With Pre-Defined User Privileges 


A major issue with the configuration method presented before is the lack of security and flexibility: the 
enable 15 password is shared among all users. It is more desirable that each user gets a unique 


password and that a privilege level be associated to that user. 
Example 1 with TAC_PLUS: 


user = henry { 
login = cleartext mypassword 
service = exec { 

priv-lvl = 7 

} 
} 


Example 2: 


user = henry { 
login = cleartext mypassword 
member = admingroup 


} 


user = antoine { 
login = cleartext otherpasswd 
member = admingroup 


} 


group = admingroup 
service = exec { 
priv-lvl = 15 

} 

} 


3.21.3 AAA Configuration 


The default AAA behavior is the following (i.e. when no AAA commands were entered): 


e If no TACACS+ or RADIUS servers are configured, the local password file is used 


e If TACACS+ or RADIUS servers are configured and if at least one of them is reachable, 
authentication is done with the AAA server(s) when logging in, no command authorization is done. 


e If TACACS+ or RADIUS servers are configured and if none of them is reachable, authentication is 


done using the local password file, no command authorization is possible. 


To configure user authentication with AAA, use the following command from the global configuration mode: 


CLI(configure)> [no] aaa authentication login {default 


| console | 
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3.21 


network } { <group-name> | radius | tacacs } 
If default is used, all accesses via console or telnet/SSH are controlled using the configured AAA 
servers. 
e = If the radius keyword is entered, all the RADIUS servers are used in the order they are configured. 
e = If the tacacs keyword is entered, all the TACACS+ servers are used in the order they are configured. 


e =If a <group-name> is entered, the servers from that AAA server group are used. See configuration 
hereafter. 


To configure the servers for enable authentication (i.e. the servers that are queried when the user enters 
the enable command), use the following command: 


CLI(configure)> [no] aaa authentication enable {default | console 
network } { <group-name> | radius | tacacs } 


To configure an AAA server group, first create the server group as follows: 


CLI (configure)> [no] aaa group server { radius | tacacs } <group-name> 


Then enter the list of servers: 


CLI (config-sg-tacacs)> [no] server { <A.B.C.D> | <server-hostname> } 


To enable AAA authorization for a given privilege level: 





CLI (configure)> [no] aaa authorization command <level> default tacacs+ 


<level> represents a command privilege. Once this command is entered, every command having the 
same privilege level must be authorized by the AAA server. 


The last "A" of AAA stands for accounting. TACACS+ permits the accounting of configuration sessions. 
AAA accounting is only supported with TACACS+ servers. To inform a TACACS+ server(s) about users 
logging in and out of the router, use the following command in global configuration mode: 


CLI (configure)> aaa accounting exec default start-stop { tacacs+ | group 
<tacacs-server-group> } 


To disable CLI session accounting, enter the following command: 





CLI (configure)> no aaa accounting exec 
The AAA command accounting feature logs any entered command by an user on a TACACS+ server. The 
AAA command accounting is activated for commands of a given privilege level: 
CLI(configure)> aaa accounting commands <level> default stop-only { 
tacacs+ | group <tacacs-server-group> } 
To disable command accounting: 
CLI (configure)> no aaa accounting commands <level> 
In some cases, one wants to enter straightaway in 'exec' mode (i.e. with the highest privilege level) without 
entering the 'enable' command. The command is the following: 


CLI (configure)> [no] aaa authorization exec {default | console | network} 
if-authenticated 


-4 Show Functions 


Several show routines are available: 


CLI> show aaa 


CLI> show statistics { radius | tacacs } 
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3.22 DATE/TIME SYNCHRONIZATION 


3.22.1 Showing Current Date/Time 


To show the current date, use: 
CLI> date 


To show the current time: 


CLI> time 
3.22.2 Setting Date/Time 


The date is set as follows: 


CLI> date <dd>:<mm>:<year> 


The device time is set as follows: 


CLI> time <hh>:<mn>[:<sec>] 
3.22.3 Setting Time-zone and Summer Time 


Time synchronization protocols such as SNTP provide a clock that is referenced on the international 
reference (GMT). To adapt the GMT time to the local time, it can be necessary to adjust the time zone and 
the seasonal time (summer time). 


They are configured as follows, beginning under configuration terminal: 


CLI (configure)> clock timezone <name> <-23..+23> 


Where <-23 .. 23> is the hour offset you want to apply on the GMT time. 
The summer time period is set as follows: 
CLI (configure)> clock summer-time recurring <name> { <1l-4> | first | last 


} <day> <month> <time> { <1-4> | first | last } <day> <month> <time> 


e name is an arbitrary string that can ease readability (for example: CET, Paris, GMT ...). The first part 
designates when the summer time starts. The second part is for winter time. Where the arguments 
have the following meaning: 


e 1-4 | first | last: designates the week when the summer/winter time starts 
e day: is the day of the week when the summer/winter time starts (Sunday for example) 
e month: is the month when the summer/winter time starts (March for example) 


e time: is the time when the summer/winter time starts (02:00 for example) 
3.22.4 SNTP Client 
The SNTP protocol (Simple Network Time Protocol) enables to synchronize time via a connection to a 


NTP server. 


The SNTP client is configured with CLI commands either in broadcast mode (to accept NTP packets from 
any NTP broadcast server) or via a specific connection to a Known server (to request NTP packets from 
the known NTP server). 


The command show sntp gives the status of the SNTP client. 
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3.22.4.1 


Broadcast Mode 


To configure the SNTP client in broadcast mode to accept NTP packets from any NTP broadcast server, 
use the following command: 


CLI (configure)> sntp broadcast client 
CLI (configure)> exit 


Use the show command to display SNTP status: 





CLI> show sntp 

SNTP server Stratum Version Last Receive 
200.19.0.1 10 3 00:00:11 Synced 
Broadcast client mode is enabled 

CLI> 


3.22.4.2 Mode with Specified Server 


When the broadcast mode is not used, to configure the SNTP client to request NTP packets from a 
specified NTP server, use the following command: 





CLI (configure)> sntp server <server-ip-address> [ <source-if> <unit> ] 
CLI (configure)> exit 





Use the following command to configure in seconds the duration between two requests sent to the NTP 
server when synchronized (default 64 seconds): 


CLI (configure)> sntp poll-interval <seconds> 


Use the show command to display SNTP status: 





CLI> show sntp 

SNTP server Stratum Version Last Receive 
200.19.0.1 10 3 00:00:37 Synced 
Broadcast client mode is not enabled 
CLI> 


3.22.4.3 SNTP Client Service Removal 


The SNTP service client SNTP is stopped with the next commands: 


Or 


CLI> configure terminal 
CLI (configure)> no sntp broadcast client 
CLI (configure) > 


Q 


LI> configure terminal 
LI(configure)> no sntp server 200.19.0.1 
LI (configure) > 


Q 





Q 


3.22.5 SNTP Server 


The OneOS SNTP server can be enabled to provide date/time synchronization to LAN devices such as IP 
phones. 


The next command configures the SNTP Server to send packets in broadcast or multicast mode where the 
following parameters can be set: 





<intfname> <intfindex> - output interface (example: “fastEthernet 0/0”); 


[<maddr>] - destination multicast address (for multicast); if not set, the interface broadcast address 
is used; 


[<src-port>] (default=123) - output packet source port; 


[<dst-port>] (default=123) - output packet destination port; 
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e = [<po11>] (default=64) - sending interval in seconds; 
e =[<tt1>](default=64) - output packet ‘time to live’; 


Adding no before the sntp-server command disables the SNTP server previously configured. 


CLI (configure) > [no] sntp-server broadcast <intfname> <intfindex> 
[<maddr>] [sre-port <src-port>] [dst-port <dst-port>] [poll <poll>] [ttl 
<ttl>] 


The following command specifies that the onboard SNTP server shall use the synchronization of the 
embedded SNTP client to send broadcast packets. If the command is enabled and the SNTP client is not 
synchronized, the SNTP Server does not send any broadcast packet and it responds to SNTP request by 
setting the 'stratum' field to '0' and 'Leap Indicator’ to '3' (alarm condition - clock not synchronized). 


The no form of the command disables the ‘client-reference’ mode. 


CLI(configure)> [no] sntp-server client-reference 


The "sntp multicast command configures the SNTP server so that it responds to multicast 
requests. The command parameters are: 





e <intfname> <intfindex> - interface where multicast is active (example: “fastEthernet 0/0”); 
e <maddr> - listen multicast address; 
e = [<src-port>] (default=123) - listen port; 
The multicast response mode can be disabled with the ‘no’ form of the command. 
CLI (configure)> [no] sntp-server multicast <intfname> <intfindex> <maddr> 
[srce-port <src-port>] 
The "sntp unicast .." command enables the unicast/broadcast mode of the SNTP server such that it 
responds to unicast and broadcast requests. The listen port can be configured as follows: 
e =. [<src-port>] (default=123) - listen port; 
The unicast response mode can be disabled with the ‘no’ form of the command. 


CLI (configure)> [no] sntp-server unicast [src-port <src-port>] 


The debug command can be used for troubleshooting purpose. 


CLI> [no] debug sntp-server 


This command shows the current SNTP server configuration and statistics. 


CLI> show sntp-server 


Configuration Example 


configure terminal 
sntp-server client-—reference 
sntp-server unicast 

exit 
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3.23 SYSLOG CLIENT 


The SYSLOG service allows to send event to several SYSLOG servers (maximum: 2). The SYSLOG 
server can store/filter/orocess incoming messages, so that network administrator can use standard, UNIX- 
based tools. 


This facility is enabled via CLI commands when configuring 'events', such as for gshds1: 


CLI> event filter add sys gshdsl all syslog 


3.23.1 Adding a SYSLOG Server 


You are able to declare one or more SYSLOG server. The following commands are used: 


CLI> configure terminal 
CLI (configure)> syslog server { < hostname > | < A.B.C.D > } <0-23> 


The first parameter is the server address. The second parameter (facility number, ranging from 0 up to 23) 
must be set according to the server configuration. 


Note: many manufacturers (such as Cisco) use 23 as default facility number. 
You are also able to bind the SERVER client to a defined interface: 


CLI(configure)> syslog server { < hostname | A.B.C.D > } <0-23> 
<interface-type> <unit> 


Example: 


CLI (configure)> syslog server hostn 2 ? 
ethernet - Bind to Ethernet interface 
fastethernet - Bind to FastEthernet interface 
atm —- Bind to ATM interface 

serial —- Bind to Serial interface 

loopback - Bind to Loopback interface 

tunnel - Bind to tunnel interface 


<cr> 
CLI (configure)> syslog server hostnl1 20 atm 0.1 
CLI (configure)> syslog server hostn2 21 atm 0.2 


3.23.2SYSLOG Server Removal 


To remove a SYSLOG server, use the following command: 


CLI> configure terminal 
CLI (configure)> no syslog server { <host-name> | <A.B.C.D > } <facility- 
number> 


3.23.3SYSLOG Server List 


A show command may be used to list all the defined SYSLOG servers: 


CLI> show syslog servers 


Server Facility Interface 
Hostnl 20 Atm 0.1 
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3.23.4 SYSLOG Server Configuration 


The following information provides some hints for a Linux syslog server configuration: 
The standard UDP port 514 is used by the SYSLOG client to access the server. 


The configuration file "syslog.conf" must contain the name and the path of the text file to log the 
messages according to the used facility: 


local0.* /var/log/one400_evt 


"localo" corresponds here to the facility number 16 (defined in syslog.h) 
If you edit the file "one400_evt", you are able to see the logged events: 


Jun 18 18:43:30 222.222.222.222 vxTarget event: 18:43:30 18:06:2004 Event 
AT™ 
IPOA STATUS_12 1 Ipoa if=0 vpi=0 vci=34 pvc modification requested 
Jun 18 18:45:27 222.222.222.222 vxTarget event: 18:45:27 18:06:2004 Event 























IPOA STATUS_12 1 Ipoa if=0 vpi=0 vci=34 pvc modification requested 
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3.24 


PERFORMANCE PROBE 


The performance probe agent (PPA) is embedded software that performs active monitoring of the network 
performance. 


3.24.1 Performance Probe Agent —- Path Measurement (PPA-PM) 


3.24.1. 


1 Introduction 


PPA-PM manages probes sending test packets to a specified destination. The test packets must be 
returned by the receiver after inserting additional information in packets. By means of this information, the 
sender is able to calculate interesting quality metrics of the IP path from source to destination, including 
packet loss, round trip delay and jitter. 


PPA-PM requires a sender (emitting test traffic) and responder (looping test traffic back to sender). When 
the responder loops a packet, the responder inserts a timestamp. Let us assume T(i, 74) as the time 
stamp for the i-th packet, at the j-th step. 


Sender Responder 
T(1,1) 
T(1,2) 
T(1,3) 
T(1,4) 
T(2,1) 
T(2,2) 
T(2,3) 
T(2,4) 


The sender and responder do not have the same time; their clocks are most probably not synchronized on 
the same source (we assume an offset Toff exists between both clocks). Let us assume that the transit 
delay for packet 1 is D. 


Toff + T(1,2) = T(1,1) + D 


The round trip delay (RTD) is: 

RTD = T(N,4) - ( T(N,3) + Toff ) + ( T(N,2) + Toff ) - T(N,1) 
If we assume that the processing delay in responder is negligible, we can simplify the formula with 
T(N, 2) =T (N, 3). The formula is: 

RTD = T(N,4) - T(N,1) 


The jitter on one-way delay is the time difference between the one-way transit delays of two consecutive 
packets. This jitter can be measured from source to destination and vice-versa. 








JittersD T(N+1,2) + Toff T(N+1,1) (TAN;2) + -Tott-— TN; 1)) 
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JitterSD = T(N+1,2) -— T(N+1,1) - (T(N,2) - T(N,1)) 


Similarly, jitter from destination to source: 




















JitterDS = T(N+1,4) -— T(N+1,3) - (T(N,4) - T(N,3)) 


Every packet carries a sequence number, so that PPA-PM can identify packet loss ratio. 
PPA-PM is configured to forge test packets in three ways: 


e ICMP Timestamp Request: the sender emits ICMP packets whose type is 13 (Timestamp request). 
The responder must respond with its own timestamp with ICMP packet type 14. This is a standard 
requirement of the ICMP protocol. In other words, the responder can be any router type & make. This 
allows to measure packet loss, round trip delay and one-way jitter. 


e UDP Timestamp: the sender sends UDP packet in an OneAccess proprietary format. The responder 
must listen to the appropriate port and respond with a timestamp included in UDP reply packet. This 
allows to measure packet loss, round trip delay and one-way jitter. 


e UDP Ping: the sender sends UDP packet in an OneAccess proprietary format. The responder must 
listen to the appropriate port and respond with an appropriate UDP reply packet. This allows to 
measure packet loss and round trip delay. 


3.24.1.2 Configuring PPA-PM Responder 


The PPA-PM responder must be configured on responding routers only if UDP ping or UDP timestamp 
probes are needed. 


The next command starts or restarts the PPA-PM Responder on a specified port and binds the Responder 
on an ip address or on an interface if specified (binding means a received packet is accepted if it is 
destined to the specified IP address or if it is received on the requested interface). If the Responder is 
restarted, the statistics are reset. 


CLI(configure)> ppa-pm responder port <port-number> [address <inet- 
address> | interface <if-name> <if-—number>] 





To disable the PPA-PM responder (default state: disabled), enter the ‘no’ command: 


CLI (configure)> no ppa-pm responder 
3.24.1.3. Configuring PPA-PM Sender 


A PPA-PM session must be created. A session is an object containing configuration information and 
statistics of a probe. It is identified by a unique ID. To start configuring a PPA-PM session: 


CLI (configure)> [no] ppa-pm session <session-id> 


The probe type must be specified: 
CLI (ppa-pm-cfg)> type { jitter-icmp-timestamp | jitter-udp-ping | jitter- 
udp-ping-timestamp } 
The target address must be defined (If the port parameter is not used the target port is the one specified by 
the “ppa-pm default udp port”): 


CLI (ppa-pm-cfg)> target address <inet-address> [port <port-number>] 


The next session parameters are all optional. 
The source address can be forced: 


CLI (ppa-pm-cfg)> source { address <ip> | interface <type> <unit> } 


Now we can set an ‘owner’ parameter for the probe: 
CLI (ppa-pm-cfg)> owner <string> 
We can set a timeout for the operation, the interval between successive executions of the probe, the 


DSCP (TOS) value to be set in the IP packets or the size of the payload. Note that the frequency (in 
seconds) should be greater than the timeout value (which is set in milliseconds) 
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ppa-pm-cfg)> frequency <time-in-s> 
ppa-pm-cfg)> timeout <time-in-ms> 
ppa-pm-cfg)> tos <decimal-value> 
) 


Cl 
Cl 
Cl 
Cl ppa-pm-cfg)> data-request size <data-size-in-bytes> 





LI ( 
LI ( 
LI ( 
LI ( 


The ‘frequency’ is the time interval between two consecutive measurement campaigns. The 'timeout' is the 
time the device shall wait before considering the packet lost. 


Note about the TOS: if the user wants to study network packet loss based on packet precedence, the 
proper TOS value should be selected. It is important to consider that red packets may be re-colored by 
traffic policing. One should activate color-aware packet marking to avoid the precedence field to be 
upgraded. 


The PPA-PM sends several packets during a measurement campaign. The number of packets within one 
test campaign is defined as follows: 


CLI (ppa-pm-cfg)> packet count <number> 


The timeout for packet reply (enabling detection of packet loss) is set as follows: 


CLI (ppa-pm-cfg)> timeout <milliseconds> 


Complete session configuration with the ‘exit? command: 
The timeout for packet reply (enabling detection of packet loss) is set as follows: 


CLI (ppa-pm-cfg)> exit 


By default, the destination port must be specified in ppa—pm session, but the default destination port can 
be set (default: 7777): 


CLI (configure)> ppa-pm default udp port <port-—number> 


To schedule a PPA-PM probe (i.e. to program the launch of measurement campaigns), the ‘ppa-pm 
schedule’ command must be entered: 


CLI (configure) > ppa-pm schedule <session-id> start { now | <HH:MM:SS> } 
3.24.1.4 Configuration Example 


Example with two routers connected back-to-back by fastEthernet 0/0. 





Responder Side: 


configure terminal 
interface fastEthernet 0/0 
ip address 10.10.10.1 255.255.255.0 
exit 
ppa-pm responder port 35000 


Sender Side 


configure terminal 
interface fastEthernet 0/0 
ip address 10.10.10.2 255.255.255.0 
exit 
ppa-pm session 1 
type jitter-udp-ping-timestamp 
target address 10.10.10.1 port 35000 
exit 
ppa-pm schedule 1 start now 


3.24.1.5 Statistics 


To show the status and statistics of the PPA-PM responder: 


CLI> show ppa-pm responder 
PPAPM Responder status for port 7777: running 
received UDP-PING packets:0 
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received UDP-PING-TIMESTAMP packets: 
sent UDP-PING packets: 

sent UDP-PING-TIMESTAMP packets: 
received invalid packets: 
application specific errors: 


fatal errors: 














OL@ (Ol OuN@r@: 


obal statistics 
UDP-PING packets: 
IMESTAMP packets: 
sent UDP-PING packets: 
sent UDP-PING-TIMESTAMP packets: 
received invalid packets: 
application specific errors: 
fatal errors: 


PPAPM Responder gl 
received 
received UDP-PING 























OOOO OOO 


To show the configuration of a PPA-PM session (if session-number is not specified, all sessions are 
shown): 


CLI> show ppa-pm session [<session-number>] configuration 











session/packet type: ICMP TIMESTAMP (ITS), UDP, UDP TIMESTAMP (UTS) 

> session | target | packet | timeout(ms) | data size(B) 
status | source | frequency(sec)| interval(ms)| tos 

> 39 192.168.1.2 :7777 10 (UDP) 1000 32 
active 192.168.1.1 1 20 a 


To show the statistics of a PPA-PM session (if session-number is not specified, all sessions are shown): 


CLI> show ppa-pm session [<session-number>] operational-state 











session/packet type: ICMP TIMESTAMP (ITS), UDP, UDP TIMESTAMP (UTS) 
PPA-PM session: 39 (active) 
owner: ppa-pm-0 
target: 192.168.1.2:7777 
source: 192.168.1.1 
packet: 10 (UDP) 
frequency: lsec 
timeout: 1000ms 
interval: 20ms 
data size: 32bytes 
tosé 21 


no statistics available 


used resources: 235bytes, OUDP socket(s), Otask(s) running 


3.24.2 Response Time Reporter (RTR) 


RTR operates by generating and analyzing traffic to provide a set of performance measurements such as 
network delay, packet loss, availability and jitter. The task of measuring a specific metric is called a 
"probe". Currently, the supported probes are ICMP Echo, which performs a classic ping operation on a 
target, ICMP PathEcho, which performs a series of ping on every hop of the path from the source to the 
target, like in a "traceroute" operation and pathJitter, which calculates round trip delays and a jitter 
measurement of the round trip delay on the path. 








The probes can be scheduled to be executed continuously or for a determined period of time, starting 
immediately or after a specific delay, or even triggered by events such as the failure of another probe. 


The results of each probe can be analyzed by the PPA agent, filtered and eventually stored. Depending on 
the values, the results can trigger events such as the start of another probe or notifications to a network 
management system via SNMP traps. 


The creation and scheduling of probes and retrieval of results can be done via CLI or SNMP. 
3.24.2.1_ Configuration of a Probe via the CLI 


Probes are identified with a number in the 1-2147483647 range. In order to facilitate the management of 
probes, they can have an "owner" string and a "tag" string attached. 
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To create the probe, we use the following command, in global configuration mode: 
CLI (configure)> rtr session <session-id> 
The CLI enters the rtr configuration mode, where we can configure the operational parameters of the 


probe, such as target address, filtering options and data collection. Note that we can only use the type 
command at this point, to define the type of the operation and the target address. 


CLI(conf-rtr)> type echo protocol ipIcmpEcho <target-address> [<source- 
address>] 
Example: 
CLI (conf-rtr)> type echo protocol ipIcmpEcho 193.168.0.10 
This command creates an ICMP echo probe, with the target address 193.168.0.10. Wecan set alsoa 
source address to use for the probe. 


To create an ICMP EchoPath probe, we use: 





CLI (conf-rtr) > type pathEcho protocol ipIcmpEcho <target-—address> 
[<source-address>] 


To create a PathJitter probe, the command is: 


CLI (conf-rtr)> type pathJitter dest-ipaddress <target-address> [source- 
address <source-address>] [number-of-packets <number>] [interval 
<milliseconds>] [targetOnly] 


The number of packet parameter (default: 10) designates the number of packets sent at each 
measurement. They are sent every <interval> ms (default: 20 ms). If the keyword targetOnly is 
used, the packets are sent directly to the destination address, without probing the path. 


Now we can set other parameters for the probe: 


CLI (conf-rtr)> owner <string> 
CLI (conf-rtr)> tag <string> 


We can set a timeout for the operation, the interval between successive executions of the probe, the 
DSCP (TOS) value to be set in the IP packets or the size of the payload. Note that the frequency (in 
seconds) should be greater than the timeout value (which is set in milliseconds) 


CLI 
CLI 
CLI 
CLI 


conf-rtr 
conf-rtr 
conf-rtr 
conf-rtr 


> frequency <time-in-s> 
> timeout <time-in-ms> 
> tos <decimal-value> 


( 
( 
( 
( > request-data-size <data-size-in-bytes> 


The frequency is the time interval between two consecutive measurement campaigns. The timeout is 
the time the device shall wait before considering the packet lost. 


Note about the TOS: if the user wants to study network packet loss based on packet precedence, the 
proper TOS value should be selected. It is important to consider that red packets may be re-colored by 
traffic policing. One should activate color-aware packet marking to avoid the precedence field to be 
upgraded. See section 4.15.2.3. 


Another important setting is the threshold value, which can be used for triggering events and filtering the 
results with better granularity. For example, we can set the timeout to 300 ms, and a threshold of 100ms 
will enable us to be notified of a deterioration of the quality of service before this becomes a problem. 


CLI (conf-rtr)> threshold <time-in-ms> 
3.24,2.2 Probe Scheduling via CLI 


Once the probe was created and all the parameters set, we can schedule the probe for execution via the 
"rtr schedule' command: 


CLI (configure)> rtr schedule 1 ? 


e ageout <0-2073600>: How long to keep this Entry when inactive 


e life <0-2147483647>: Length of time to execute in seconds 
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e start-time now: Start Now 


e start-time pending: Start Pending 


e start-time hh:mm[:ss]: Start Time (hours: minutes [:seconds]) 


e <cr> 


We can start the probe immediately with the now option, at some specified time or leave it in a pending 


state, waiting to be triggered via an event. 


We have the possibility to stop the probe after a determined interval with the lifetime option, and for 
temporary probes we can set an ageout value. After the probe has been stopped, and the specified 


number of seconds has elapsed, the probe will be deleted automatically. 


We will start the probe immediately, with a lifetime of 5 minutes: 


CLI (configure)> rtr schedule 1 life 300 start-time now 


Note that a scheduled probe cannot be modified. The rtr session command will display a warning 
message if you attempt to reconfigure an active probe. To suppress session scheduling, use 'no rtr 


session <session-id>'. 


3.24,2.3 PPA Statistics 


The 'show rtr' command allows us to inspect the status of the probes, as well as the results: 


CLI>show rtr ? 
application - RTR Application 


collection-statistics - RTR Statistic Collections 


configuration - RIR configuration 


distributions-statistics - RTR Statistic Distributions 


history - RTR History 
operational-state - RTR Operational State 
reaction-trigger RTR Reaction Trigger 





Except for'show rtr application’, which displays general information on the PPA module, all 'show 


rtr' commands accept an optional parameter for displaying just one entry. 


Example of output for a pathEcho probe: 





CLI>show rtr configuration 999 


Complete Configuration Table (includes defaults) 





Entry Number: 999 

Owner: 

Tag: 

[Type of Operation to Perform: pathEcho 








Reaction and History Threshold (milliseconds) : 


Operation Frequency (seconds): 60 
Operation Timeout (milliseconds): 5000 
Verify Data: FALSE 
Status of Entry (SNMP RowStatus): active 
Protocol Type: ipIcmpEcho 

Target Address: 192.168.0.1 

Source Address: 0.0.0.0 

Target Port: 0 

Source Port: 0 




















Control Packets: enabled 
Loose Source Routing: disabled 





LSR Path: 
Type of Service Parameters: 0 
Life (seconds): 3600 


ext Scheduled Start Time: Pending Trigger 
Entry Ageout: never 

Connection Loss Reaction Enabled: FALSE 
Timeout Reaction Enabled: FALSE 

















Request Size (Request/Response protocol data portion): 
Response Size (Request/Response protocol data portion): 
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[Threshold Reaction Type: never 
Threshold Falling (milliseconds): 3000 
Threshold Count: 5 

Threshold Count2: 5 














Reaction Type: never 

Number of Statistic Hours kept: 2 

Number of Statistic Paths kept: 5 

Number of Statistic Hops kept: 16 

Number of Statistic Distribution Buckets kept: 1 
Statistic Distribution Interval (milliseconds): 20 
Number of History Lives kept: 2 

Number of History Buckets kept: 15 

Number of History Samples kept: 16 

History Filter Type: all 


CLI>show rtr operational-state 999 

Current Operational State 

Entry Number: 999 

odification Time: *10:26:19.000 UTC THU JUN 24 2003 
Diagnostics Text: 

Last Time this Entry was Reset: Never 

Number of Octets in use by this Entry: 19750 
Connection Loss Occurred: FALSE 
Timeout Occurred: TRUE 
Over Thresholds Occurred: FALSE 
Number of Operations Attempted: 60 

Current Seconds Left in Life: 0 

Operational State of Entry: inactive 

Latest Completion Time (milliseconds): 23 

Latest Operation Return Code: Ok 

Latest Operation Start Time: *11:25:21.000 UTC THU JUN 24 2003 
Latest: 192.168.0.1 






































3.24.2.4 Advanced Features 


The PPA can be configured to analyze, filter and store the results of the probes, and to react to specific 
conditions, either via CLI or via SNMP. 


Storage of the results is enabled via the history facility, which can be configured to filter the samples 
retained. 


CLI (conf-rtr)> lives-of-history-kept <nb-of-history-kept 0..2> 
CLI (conf-rtr)> filter-for-history { all| failures| overthresold| none } 


By default, no history is kept (lives-of-history-kept 0 and filter-for-history none). The 
filter "al1" keeps all probe results, the filter "none" none of them, the filter "overThreshold" only probes 
that have the result over the threshold (like the Round-Trip Time (RTT) for an echo operation) and the filter 
"failures" only failed probes (like timed-out or unreachable). 


show rtr history will display the collected data: 


CLI>show rtr history 


Point by point History 

Multiple Lines per Entry 

Line 1 

Entry = Entry Number 

LifeI = Life Index 
BucketI = Bucket Index 
SampleI = Sample Index 
SampleT = Sample Start Time 
CompT = Completion Time (milliseconds) 
Sense = Response Return Code 

Line 2 has the Target Address 
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Entry Lifel BucketI Samplel SampleT CompT Sense 
999 1 57 1 1088076141 1 1 
cO A8 0 1 
999 1 58 i 1088076201 1 1 
CO A8 0 1 
999 a 59 1 1088076261 al 1 
CO A8 0 1 
999 1 60 a 1088076321 a i 
CO A8 0 1 








Entry is the RTR session identifier; Life is the index of the history kept; BucketI is the index of the 
bucket (see below) in the history life; SamplelI is the index of the sample in the bucket; SampleT is the 
time of the sample (as the number of milliseconds since the last system boot up); CompT is the time within 
the operation has bee completed; Sense is the return code of the operation (see next table). 


Sense return code Description 
1 OK 








Disconnected 
Over threshold 








Timeout 





Busy 





Not connected 





NN] OO] oOo}; BR] Ow] PP 


Dropped 














others Error specific 





Another feature is the possibility to store results in separate "buckets", according to the result of the probe. 
The following commands will parse and store results in the categories: 


CLI (conf-rtr) >distributions-of-statistics—kept <number-of-buckets> 
CLI (conf-rtr) >statistics—distribution-interval <time-steps-—in-ms> 
For that example, for the following buckets: 0-4ms, 4-8ms, 8-12 ms, 12-16 ms, >16 ms 


CLI (conf-rtr) >distributions-of-statistics-kept 5 ! 5 buckets 
CLI (conf-rtr) >statistics-—distribution-interval 4 ! 1 bucket=4 ms interval 





The following show command will display the cumulated statistics for each of the defined buckets: 





CLI>show rtr distributions-statistics 333 


Captured Statistics 
Multiple Lines per Entry 
Line 1 
Entry = Entry Number 
StartT = Start Time of Entry (hundredths of seconds) 
Pth = Path Index 
Hop = Hop in Path Index 
Dst = Time Distribution Index 
Comps = Operations Completed 
OvrTh = Operations Completed Over Thresholds 
SumCmp = Sum of Completion Times (milliseconds) 
Line 2 
SumCmp2L = Sum of Completion 
SumCmp2H = Sum of Completion 
TMax = Completion 

















Times Squared Low 32 Bits (milliseconds) 
[Times Squared High 32 Bits (milliseconds) 
Time Maximum (milliseconds) 














TMin = Completion Time Minimum (milliseconds) 

Entry StartT Pth Hop Dst Comps OvrTh SumCmp 
SumCmp2L SumCmp2H TMax TMin 

333 1088103929 1 1 1 0 0 0 
0 0 HE 1 

333 1088103929 1 1 2 3 0 14 
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0 66 3) 4 

33:3 1088103929 1 1 3 2 0 17 
0 145 9 8 

333 1088103929 1 1 4 0 0 0 
0 0 1 I. 

333 1088103929 1 Hb is) 0 0 0 
0 0 1 a 





Entry is the RTR session identifier; StarT is the start time of the interval (as the number of milliseconds 
since the last system boot up); Pth is the path index number (only valid for pathEcho probes otherwise 
1); Hop is the hop index number in the path (only valid for pathEcho probes otherwise 1); Dst is the time 
distribution index within the interval; Comps is the number of operations that have completed successfully; 
OvrTh is the number of operations that have timed out; SumCmp is the sum of completed operation times 
for all successful operations in the row (in milliseconds); SumCmp2L is the low-order 32 bits only of the sum 
of the square roots of completion times (in milliseconds) for the successfully completed operations; 
SumCmp2H is the high-order 32 bits only of the previous sum; TMax is the highest recorded completion 
time per interval (in milliseconds); TMin is the lowest recorded completion time per interval (in 
milliseconds). 








The PPA can be configured to react to different conditions with specific actions, for each probe. One 
example is starting a pathEcho operation in response to a timeout on an echo operation, in order to 
determine the point of failure. Session 2 is recording only probes that go over the threshold of 40 msec. 
Once the probes start timing out at 100ms, session 1 is started and all data is recorded. 





rtr session 1 
type pathEcho protocol ipIcmpEcho 10.0.0.1 
distributions-of-statistics-kept 3 
filter-for-history all 
lives-of-history-kept 2 
statistics-—distribution-interval 20 
paths-of-statistics-kept 1 
hops-of-statistics-kept 1 
samples-of—-history-kept 1 
buckets-of-history-kept 4 
exit 

rtr schedule 1 start-time pending 

rtr session 2 
type echo protocol ipIcmpEcho 10.0.0.1 
distributions-of-statistics-kept 3 
threshold 40 
timeout 100 
filter-for-history overThreshold 
lives-of-history-kept 2 
statistics-distribution-interval 20 
paths-of-statistics-kept 1 
hops-of-statistics-kept 1 
samples-of—-history-kept 1 
exit 

rtr reaction-configuration 2 action-type triggerOnly 

rtr reaction-configuration 2 timeout-enable 

rtr reaction-trigger 2 1 

rtr schedule 2 start-time now 


The exact syntax to trigger a session based on events requires the triggered session to be in pending state 
(rtr schedule <session-id> start-time pending). Then the trigger must be enabled for the 
"calling" session, this command: 





CLI (configure) > rtr reaction-configuration <session-id> action-type 
triggerOnly 


If the action is triggered by a timeout, use: 


CLI (configure)> rtr reaction-configuration <session-id> timeout-—enable 


If the action is triggered by a threshold, the command is the following: 
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CLI (configure)> rtr reaction-configuration <session-id> threshold-type { 
average | 
consecutive <number-of-occurrences> | 
immediate | 
never | 
xOFy <x-value> <y-value> } 








If consecutive is selected, the RTR waits that the threshold is crossed as much consecutive times as 
configured. If xoFry is selected, the action is triggered if the threshold was crossed x times during the last y 
samples. 


After that the action trigger is set, the session with an attached trigger must be associated with a session 
that is called when the trigger is activated: 


CLI (configure)> rtr reaction-trigger <calling-session> <called-session> 


Then, the calling session must be scheduled to complete the configuration. 
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3.25 HTTP(S) SERVER 


The embedded Web server can use either HTTP or HTTPS or both protocols. It is called "HTTP Server" in 
all the cases in the following. 


The HTTP or HTTPS Server relies on the OneOS feature called "Web Configurator Factory" (WCF). WCF 
is a framework allowing a user to load on the router self-designed web pages. A separate document 
explains the WCF features and the web page implementation. 


The present document only deals with HTTP or HTTPS Server activation and configuration. 
3.25.1 Installing a Set of Web Files 


Web files can be installed one-by-one in flash file system. To make an update easier, one can upload a 
TAR file in flash and untar it. The TAR file should contain all HTML files, JS, Gif ... The untar operation 
overwrites existing files if already present in flash. However, before decompressing the files, the untar 
function can remove all files of a directory and its sub-directories. 


First download the Tar file. For example, with TFTP: 
CLI> copy tftp://myserver/webconfigurator.3.7r10.e3.tar web.tar 


Then, the command to clean/untar files is: 


CLI> untar <source> <dest-directory> [clean-up [all-sub-dir]] 


For example: 


CLI> untar web.tar /webroot clean-up all-sub-dir 
3.25.2 Configuring HTTP Server 


The HTTP protocol and the HTTPS protocol are both available by default. To select HTTP only, or HTTPS 
only or both protocols, use the next command under configuration terminal: 


CLI (configure)> http-server protocol { http-and-https | http-only | 
https-only } 
Warning: to use HTTPS, a valid certificate must be associated to the OneOS-based router. Refer to 
chapter 3.26 Certificates management for more information. 


The HTTP server is disabled by default. To enable/disable the HTTP server, use the next command under 
configuration terminal: 


CLI (configure)> http-server { enable [<path>] | disable } 
The <path> is the path of the root of web pages, where the files logon. htm and index.html are 
located. By default, the root path is flash: //webroot. 


Users accessing the web pages must be authenticated. The user login and passwords are checked from 
the local password file (Elash: //password file). Configuration example: 


CLI> user add <webuser> <webpassword> <weblevel> 
By default users configured in the flash://password file can login on the web Configurator. Those 


users could also access the CLI. It may be desired to strictly separate CLI and web users. To operate the 
web server in this mode (with web only users), first the http-server must be started with an extra option: 


CLI (configure)> http-server enable <path> allow-web-users-only 


Then a web-only user can be created via the next command: 


CLI (configure)> http-server user add <username> <password> <access-level> 
[invite-password-change] [already-encrypted] 
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The username and the password are 64-character strings that contain any character except ":", "!", "2", 


MO" "AN Me" "SS" " i he jas "", "space", "apostrophe", "quotation mark" and "tab". 
The access-level is a number ranging from 0 to 15 (O=user, 7=manager, 15=admin). The access-level has 
the following functions: A page can be seen by a logged user if the page has got the default access 
authorization level or it is lower than or equal to logged-in user level (see 3.25.3). It is also used to check 
the executed CLI commands through web interface. 


The keyword invite-password-change sets a flag that will be used by the web Configurator to request 
a user to change his own password (so the web pages must support this facility, which is fully optional on 
the web pages). The already-encrypted keyword tells that the password is encrypted via MD5. 


” 


If the command “http-server user add is executed for a username that already exists, the 
following warning is displayed “User already exists; Taking new attributes into account”. In this case, the 
user is internally deleted, then re-created with the new user parameters. 


N.B.: it is possible to create web users from IBC. If the user was already created from IBC, ‘http-server 
user add <username> ... will NOT overwrite the user parameters. 


To delete a web-only user: 


CLI (configure)> http-server user delete <username> 


The web configurator generates CLI commands from HTML forms and sends the CLI to the product. By 
default, any command that is syntax-wise correct is accepted. However, OneOS can check that either the 
entered CLI privilege level is not greater than a required level (Command ‘http-server wef cli- 
exec-level <max-command-level>’) or the CLI level is lower than or equal to logged user level 
(command 'http-server wcf cli-exec-level http-user'’). Syntax: 





CLI (configure)> http-server wcf cli-exec-level {<0-15> | http-user} 


By default, the http server is reachable by any IP interface (atm, loopback, fastEthernet ... IP 
addresses). To attach the server to one or more interface, use the ‘http-server bind’ command: 





CLI (configure)> http-server bind <interface> <unit> 


To unbind the server from an interface, use the ‘no’ form of the command: 


CLI (configure)> no http-server bind <interface> <unit> 


To unbind the server from any interface (i.e. attach to all interfaces, which is default): 
CLI (configure)> http-server bind any 
As security measure, it is also recommended to attach an access-list to the server. It prevents access to 


the HTTP server from untrusted IP networks. To restrict access to HTTP server for HTTP clients matching 
an access-list: 


CLI (configure)> http-server acl <acl-—name> 


To detach the access-list: 





CLI (configure)> no http-server acl 


The outcome of applying changes on every HTML page is to create a set of CLI commands that is 
executed immediately by the system when the HTML form is posted. If the changes must be saved, the 
CLI commands must contain the command save running Or write terminal. 


autoconfiguration could be used. This feature updates the router configuration and software. In other 
words, the downloaded configuration by autoconfiguration eliminates changes made by the HTTP 
server by overwriting the saved configuration. However, it is still possible to overcome this incompatibility. 
The process runs as follows: first, CLI commands executed by the HTTP server are saved in flash (in 
flash://webroot/WCFSYSFILES). Then, autoconfiguration downloads a new configuration and reboots 
the router. If OneOS reads the command http-server wcf exec-web-cli, all the CLI files in 
flash: //webroot/WCFSYSFILES are executed again, so that settings from htto-server are again active. 
To enable/disable this behavior (disabled as default): 














CLI (configure)> [no] http-server wcf exec-—web-cli 
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Users are automatically logged out after expiration of an inactivity timeout. By default, it is 1200 seconds. 
To set timeout: 


CLI (configure)> http-server timeout {default | <10-100000> } 


Note: unauthorized connection attempts are subject to blacklisting (see 3.27). 


3.25.3 HTTP Proxy 


When a LAN device is associated to a gateway, the HTTP proxy is implicitly enabled on the gateway. 
During association, the gateway learns the LAN device name. The ‘short device name’ is the device name 
where ‘_’ and subsequent parameters are stripped. All HTTP requests whose URL contains a pattern 
matching the short device name is forwarded to the LAN device. For more information on association, refer 
to 4.17.3. 


The http server must be enabled on the LAN device in a special mode, because the HTTP protocol 
between LAN device and gateway is authenticated in a special mode. To enable the HTTP server in LAN 
device mode: 


CLI (configure)> http-server enabled device-—mode 


3.25.4 Web Page Access Restriction 


3.25.4.1 Restriction File Format 


Every logged user on the web server is associated with a user level. By default, all pages are accessible. It 
is possible though to display only pages for users whose level is greater than or equal to the page level. 


Aim of this security issue for WCF is to control the access level of WEB pages using one configuration file 
placed in each folder. This can be easily done using some .ini files. These .ini files must be named 
".wcefaccess.ini". Access level is read & set at HTTP Server startup or when the following command is 
triggered: 


CLI (configure)> http-server wcf access-level reload 


In order to implement the Access Level issue for WCF, the following format rules is used for the . ini files: 
a section for each file must be created and inside it place a keyword called Access-level, as follows: 


[<resource-—name> ] 

Access-level = <Access—Level-Value> 
Example: 

[index.html] 


Access-level = 2 


[WEPKeyConfig.htm1] 
Access-level = 2 


[WlanConfig.html] 
Access-level = 9 


By default, when the HTTP Server is enabled, the logon.htm page always has access level set to 0 
(even ifa".wcfaccess.ini" file modifies this level). One must take care that the user does not change 
the access level of the logon. htm page. The rest of the files have their access level set to 1. When the 
engine is triggered, if a file has a custom access level specified in a".wcfaccess.ini" file, its access 
level is changed to the specified one. 


Since the use of ". wcfaccess.ini" files is not mandatory, the user can set the default access level that 
will be assigned to the all files managed by the HTTP server. The following CLI allows doing this: 


CLI (configure)> http-server wcf access-level default <default-—level> 


Example: 


CLI (configure)> http-server wcf access-level default 15 


Note: if no default access level is set, the default level will be 1 (like in previous versions). 
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3.25.4.2 Assign access level to a new page 


The following CLI is available to assign a custom access level to a WEB page: 
CLI(configure)> http-server wcf access-level assign <absolute-resource- 
path> <access-level> 
Note: custom access level can be assigned to any WEB Resource (html, css, js, jpg). 


Note: when assigning/removing the access level for a resource, all actions are written in the .ini file. In 
order to effectively set the new access level to WEB Resources, use “reload” command or re-enable the 
HTTP Server! 


3.25.4.3 Delete access level entry for a page 


The following CLI is available in order to remove from “.wcfaccess. ini” file the entry for a specific WEB 
resource: 


CLI (configure)> http-server wcf access-level delete <absolute-resource- 


path> 


Note: this command can be triggered at any moment (even if the HTTP Server is up or not)! 
3.25.4.4 Display access level settings 


Following “show” commands are available: 


CLI> show http-server wcf access-level stored-access-level [<location-— 
path>] 
CLI> show http-server wcf access-level default-—access-—level 
CLI> show http-server wcf access-level current-—access-—level 





Note: index.html page is registered twice: as URL “\” and as URL “\index.htm1”. On command 
“show http-server wcf access-level current-access-—level?” it should appear twice, once for 
each URL. On command “show http-server wcf access-level stored-access-level” is 
should appear once since we have one single file on flash. 











CLI> show http-server wef access-level <location-path> 


In order to display all access levels assigned (in specific . ini file) to all resources from a specific WEB 
project, following CLI is available: 


CLI> show http-server wcf access-level stored-access-level [<location-— 
path>] 
Following format must be used to display information (like "1s" in Linux): 


<absolute-resource-path> <access-level> 
Path displayed is relative to <location-path>. All pages in the WEB project must be displayed, even if 
they have no custom access level defined in the “.wcfaccess.ini”! 


For resources defined in the .ini file, developer must display the access level specified in the 
.wcfaccess.ini file. For resources that are not defined in the .ini file, developer must display the 
default access level. 


Parameter <location-path> is optional and can be a folder on the flash or a single file (WEB 
Resource). If not provided, it will be the starting location of the HTTP Sever (if up; if HTTP Server is down, 
an error message must be displayed). Full path must be provided to the desired folder/resource. 


This following command displays the default access level. 
CLI> show http-server wcf access-level default-—access—level 
This show command displays the current access-level status for all WEB Resources. In this case, the 


access-level value is retrieved from HTTP Server's structures, not from the . ini files (meaning we display 
the access-level which is effectively set on a resource). 


This command can be triggered only when HTTP Server is up and displays access-level for all WEB 
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resources as they are retrieved from HTTP Server's resources list. 
3.25.5 Debugging HTTP Server 


To activate WCF traces: 

CLI> debug wef 
WCF Simulation mode is intended to be used when testing WEB Pages. It can do the value matching 
between HTML fields and a custom file ("flash: //webroot/simconf.cfg"), instead of extracting html 


field values from “show run”. Also, it never executes the CLI generated - it will only display the list of 
commands contained in the WEB page. 


CLI (configure)> [no] http-server wcf simulation-mode 
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3.26 CERTIFICATES MANAGEMENT 


Note: the certificates management depicted below is not meant to deploy certificates on a large scale. 


The OneOS-based router is able to manage up to five certificates: 

e The HTTPS server certificate (always present). 

e The TR-69 device certificate (always present only in some versions). 
e The TR-69 root certificate (always present only in some versions). 

e The IPsec/IKE (ISAKMP) root certificate (not always present). 

e The IPsec/IKE (ISAKMP) client certificate (not always present). 


Note: a default HTTPS server certificate is always present to assure the functioning of HTTPS .This 
default HTTPS will however generate an HTTPS warning. It can be replaced by a customized one 


(see below). 


3.26.1 Showing the content of the certificates 


To show the content of all available certificates on the device, use the following command in global mode. 


CLI> show certificates 


Example with only the default HTTPS server certificate available: 





CLI> show certificates 
default HTTPS server certificate: 
Certificate: 
Data: 
Version: 3 (0x2) 
Serial Number: 302127474 (0x12021972) 
Signature Algorithm: shalWithRSAEncryption 
Issuer: CN=OneOS_Device, OU=OneAccess, C=FR 
Validity 
Not Before: Aug 29 09:27:31 2008 GMT 
Not After : Mar 1 09:27:31 2037 GMT 
Subject: CN=OneOS_Device, OU=OneAccess, C=FR 
Subject Public Key Info: 
Public Key Algorithm: rsaEncryption 
RSA Public Key: (1024 bit) 
Modulus (1024 bit): 




















00:6b7:50:c4:85:3c:a8:33:25:e5:6c:fe:15: 
88:67:91:d6:84:70:£9:2f:£9:8b:c9:b6:17: 


ad: fe:39:fe:56:cf:62:d8:2f:74:01:6b:al 


be: fe:ld:dc:4c:63:3c:77:c0:e0:34:cc:27: 
a8:60:4b:24:3f:ec:e7:13:84:3f:30:0e:da: 
73:39:b9:86:£7:45:a5:0e:dce:1c:81:42:03: 
b7:16:25:£2:3b:bd:4a:06:72:ef:74:7b:c2: 
Oa:1b:8b:69:48:95:cd:b6:30:67:91:c3:58: 


c3:4e:28:22:fe:8c:1b:62:e7 
Exponent: 65537 (0x10001) 
X509v3 extensions: 

X509v3 Subject Key Identifier: 








X509v3 Authority Key Identifier: 





24 


sol 
6f: 
02: 
06: 
25% 
cd: 


202%: 
220°: 
OS: 
8:95 
OTs 
Os 
39% 
9c: 


E£4:39:DA:83:48:A2:02:83:96:21:29:BF:6D:03:B3:BB:A5:06:BA: 61 


keyid:E4:39:DA:83:48:A2:02:83:96:21:29:BF:6D:03:B3:BB:A5:06:BA:61 
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X509v3 Key Usage: 
Digital Signature, Key Encipherment, Certificate Sign 
X509v3 Extended Key Usag 
TLS Web Server Authentication 
Signature Algorithm: shalWithRSAEncryption 
18:6e:0c9:ac:18:95:43:7e:72:55:32:70:5e:86:c8:59:60:3d: 
9a:bd:e2:11:20:17:09:98:ae:c8:49:a7:c4:b0:29:20:1b:95: 
96:69:26:0b:46:ea:ce:04:ec:de:a6:2d:cb:23:e8:9d:fa:cc: 
69:3d:77:cl:ca:£7:30:17:dd:86:e9:fa:8b:7£:09:32:06:4e: 
aiy05209%544 77 i L4563:233:33 968-629 13i8d83orr i233 lbs 153 
05:95:ea:e6:73:6b:da:c2:b7:6e:8e:70:32:47:7c:c8:97:4e: 
89:7b:1e:29:06:f4:a7:6a:5d:85:9a:76:a4:4e:d2:49:59:e7: 
88:e2 




















To display the content of all available certificates, use the following command lines. The detail optional 
parameter adds the subject public key and the signature information to the output. 


To display the list of the IPSEC CA certificates, use the following command line: 


CLI> show crypto pki ca [detail] 


To display the list of the IPSEC certificates, use the following command line: 


CLI> show crypto pki certificates [detail] 


To display the list of all available device certificates in the Secure Information Area (SIA) and the TR69 
root certificate, use the following command line: 


CLI> show crypto pki device-certificates [detail] 


To display the list of all available HTTPS server certificates, use the following command line: 





CLI> show crypto pki https [detail] 


3.26.2 Configuring the certificates to be generated 


To configure the HTTPS server certificate or the IPsec Certificate Signing Request (CSR) that will be 
generated (see below), first enter in certificate control mode; then use the configure command. 


CLI> certificate 
CLI (certificate) > configure 
CLI (cert-conf) > 





In this mode, a number of attributes can be changed before an HTTPS server certificate or an IPSec CSR 
is generated. 


The attributes that can be changed are described in the following paragraphs. 
3.26.2.1_ Subject Distinguished Name attribute 


The Subject Distinguished Name (DN) attribute is a set of fields describing where the subject is 
geographically and its role within an organization. 


To set the Subject DN Country field, use the following command line: 


CLI(cert-conf)> [no] subject C <name> 


To set the Subject DN State field, use the following command line: 


CLI(cert-conf)> [no] subject ST <name> 


To set the Subject DN Locality field, use the following command line: 











CLI(cert-conf)> [no] subject L <name> 


To set the Subject DN Organization field, use the following command line: 
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£)> [no] subject O <name> 


e Subject DN Organization Unit field, use the following command line: 


CLI (cert-conf)> [no] subject OU <name> 


To set th 
C 


e Subject DN Common Name field, use the following command line: 


LI (cert-conf)> [no] subject CN <name> 


To set th 
c 


e Subject DN email address field, use the following command line: 








LI(cert-conf)> [no] subject email-address <name> 


Note: for a self signed certificate, these fields will also be put in the Issuer DN field. 
3.26.2.2 Subject Alternative Name attribute 
The Subject Alternative Name extension allows various literal values to be included in the configuration 
file. These include host name, IP address and other Name (user). 
It is allowed to combine the 3 types of Subject Alternative Name. 


To set the content of the Subject Alternative Name host name field, use the following command line: 


CLI (cert-conf)> [no] alt-subject-name hostname <name> 


To set the content of the Subject Alternative Name IP address field, use the following command line: 


CLI (cert-conf)> [no] alt-subject-name ip-address <ip-address> 


To set the content of the Subject Alternative Name user field, use the following command line; (note that 
some browsers require that this field matches the host part of the URL of the HTTPS connection). 


CLI (cert-conf)> [no] alt-subject-name user <name> 
3.26.2.3 Key length and cipher type attribute 


To set the key length and cipher type, use the following command line: 


CLI(cert-conf)> [no] key { rsa-1024 | 


rsa-512 } 


3.26.2.4 Key usage attribute 





To set the extendedKeyUsage field to TLS server authentication, use the following command 
line; (note that some browsers require this to be set to use the certificate for HTTPS). 


CLI(cert-conf)> [no] key-usage server-authentication 
3.26.2.5 Certificate enrollment 
To specify the URL of the TFTP server where the request should be sent and where to obtain the signed 


certificate, use the following command: 


CLI (cert-conf)> [no] enrollment url tftp://ip_address/filename 


ip_address is the IP address of the TFTP server. 
filename is the {base-name} (without extension) of the certificate or certificate request. 


The extensions ". key", ".ca", ". req", ".cer", ".p12" or ".pem" are automatically added to the {base- 
name}, depending on the action taken in the import or enroll command. 


Note: Restrictions apply to the name of ISAKMP certificates. See below. 


ISAKMP certificates conventions 


The ISAKMP CA certificates must be located in the /security/ca directory. The certificates in this 
directory are used for the actual X.509 authentication. 
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The ISAKMP trusted certificates must be located in the /security/certs directory. These certificates 
are required to have a subjectAltName extension containing the certificate holder identity; usually ip- 
address, hostname (FQDN), or user-fqdn. 


The ISAKMP certificates are loaded at boot-time or after entering the command: 


CLI (configure) > crypto pki reload 


The ISAKMP private keys must be located in the /security/private directory. This directory contains 
the private keys matching the public key of our certificate (which should be in the /security/certs 
directory, and have an appropriate subjectAltName field). The name of the file must be of the format: 
ip-address, hostname Or user-—fqdn. 


The name of the key file must consist out of the value of the self-identity (also called local identity) type 
configured. 


Examples: 


e for self-identity type 1p-address the filename could be 172.31.10.1 (the IP address of the egress 
interface) 


e for self-identity type hostname the filename could be router1l.mydomain.com (the hostname of the 
local router) 


e for self-identity type user-—fqdn the filename could be user@mydomain.com or user (the email 
address or name of a local user) 


Note: if no local key file is found that matches the above described types, the file Local.key is used as 
the local key for the ISAKMP rsa-sig authentication. A certificate with a matching public key must exist 
inthe /security/certs directory. 


A certificate can only be validated if the time and date is set correctly on the router (see time, date and 
sntp commands). If the time and date is not correct, the message certificate is not yet valid 
will be displayed when the router tries to validate an ISAKMP certificate. 


3.26.2.6 Miscellaneous commands 


To remove a parameter from the certificate configuration, use the no form of the command line. 


To return to the default setting for all fields, use the following command line. It can be preferable to use this 
command first, prior configuring the fields, to ensure that the device starts with the known default 
configuration. 


CLI (cert-conf)> default 


To exit the certificate configuration mode: 


CLI (cert-conf)> exit 
CLI (certificate)> exit 
CLI> 





3.26.3 Creating the certificates 
3.26.3.1 Self-signed HTTPS server certificate 


To generate a self-signed HTTPS server certificate, use the following command in certificate control mode. 
The certificate will be placed in the /security/https_one.pen file. 


CLI (certificate) > enroll self-signed 


If a certificate already exists, it will be replaced. If no configuration has been done, a certificate with 
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CN=device serial number will be generated. The certificate serial number is also based on the device serial 
number, but with a trailer to guarantee uniqueness if this action is performed multiple times. 





Note: the "generate self-signed" command is deprecated and replaced by the "enroll self- 
signed" command 


3.26.3.2 Certificate signing request 


To generate a certificate signing request (CSR) and send the request to the URL configured in the 
enrollment command, use the following command in certificate control mode. If TFTP is chosen to enroll, a 
file with the name {base-name}. req will be transferred to the CA (Certificate Authority). 


CLI (certificate) > enroll signing-request 
3.26.3.3 Certificate import 


To import a CA certificate and place it in the /security directory with name {base-name}.ca (with 
{base-name} being the actual file name of the certificate), use the following command: 


CLI (certificate) > import ca [purpose isakmp] 


The keyword purpose isakmp should be added to the command line if the CA certificate is used for 
ISAKMP crypto. In this way the CA certificate will be placed in the /security/ca directory. 


To import a signed certificate and place it in the /security directory with name {base-name}.cer, use 
the following command: 


CLI (certificate) > import certificate [purpose isakmp] 


The keyword purpose isakmp should be added to the command line if the certificate is used for 
ISAKMP crypto. In this way the certificate will be placed in the /security/cert directory. 


To import a signed certificate in the privacy enhanced mail (PEM) format and place it in the /security 
directory with name {base-name} .pem, use the following command: 


CLI (certificate)> import pem [purpose https] 


The keyword purpose https should be added to the command line if the .pem file contains an HTTPS 
server certificate. In this case the .pem file should also contain the appropriate private key. 


To import a Public Key Cryptography Standards 12 (pkcs12) package and place it in the /security 
directory with certificate name {base-name}.cer and private key name {base-name}.key, use the 
following command: 


CLI (certificate)> import pkcs12 <key> [purpose isakmp] 
The key used for decrypting the package should be provided to you by the certificate authority. If the 
certificate is used for ISAKMP crypto, then the keyword purpose isakmp should be added to the 


command line. In this way the certificate will be placed in the /security/cert directory and the private 
key will be placed in the /security/private directory. 


3.26.4 Certificate matching against criteria 
3.26.4.1_ Configuring the criteria to which a certificate must comply 


A crypto certificate map defines the criteria to which an X509 certificate must comply. To configure a PKI 
certificate map entry, and enter in certificate map configuration sub-level, use the following command line: 


CLI (configure) > crypto pki certificate map <name> <priority> 
CLI (cert—map) > 
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name is the name of the certificate map; priority is the priority of the certificate map (0-10000). 


When creating a new certificate map a priority is required. This priority will be taken into account when 
matching a certificate to a certificate map; maps with the same name but different priorities will all be 
checked starting with the map with the highest priority (lowest number). 


To remove a certificate map, use the following command line: 
CLI (configure)> no crypto pki certificate map <name> [<priority>] 


The version of the command without the priority will delete all maps with the given name. When a priority is 
supplied, only the map with the given priority will be deleted. 


All criteria can be supplied in 4 different formats: contains (co), not contains (nc), equals (eq) and not 
equals (ne). This means a certificate property must contain a certain string, not contain a string, be exactly 
the same or different from a given string value, respectively. Several criteria can be applied to the same 
property (e.g.co a /nce b /nce c/co d/ne da). 


The certificate (map) is valid when all criteria match. 


To configure one criterion for the subject name certificate property, use the following command: 


CLI (cert-map)> [no] subject-name { co | nc | eq | ne } <string> 


To configure one certificate alternate subject name criterion, use the following command: 





CLI (cert-map)> [no] alt-subject-name { co | nc | eq | ne } <string> 


To configure one certificate issuer name criterion, use the following command: 





CLI (cert-map)> [no] issuer-name { co | nc | eq | ne } <string> 


To remove a specific criterion for a specific certificate property, use the no form of the command. 


To empty the list of criteria of a specific certificate property, use the default command: 


CLI (cert-map)> default subject—name 
CLI (cert-map)> default alt-subject-—name 
CLI (cert-map)> default issuer-—name 


To finalize the certificate map configuration: 


CLI (cert-map)> exit 


3.26.4.2 Matching the criteria 


When certificates are used for authentication, a dedicated command allows verifying the contents of the 
arbitrary fields of the peers’ certificate. This is accomplished by applying a certificate map to an ISAKMP 
profile (see 4.7.2.4.4). 
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3.27 


BLACKLIST MANAGEMENT 


In order to protect the OneOS-based router as much as possible against brute force attacks, a blacklisting 
process is implemented for console, tshell, telnet, SSH, and web connections (login). 


For console and tshell connections: a counter in created for each service. If the entered password is 
correct, the counter is reset to zero. If the password is incorrect, the message "Unauthorized access! 
Check username and password" is displayed and the counter is incremented. When the counter becomes 
greater than or equals 3, the message "Your access to the ... is blocked for the moment’ and the answer 
to password submission is delayed by 60 seconds. 


For telnet, SSH, and web connections: at each failed connection attempt, the source IP address of the 
request is recorded in a table. After 3 successive failed connection attempts from a given IP address, the 
blacklisted flag is set and a timer of 60 seconds is started. Any following connection attempt from a black 
listed IP is immediately rejected (without even offering authentication). After timer expiry, the IP address is 
flushed from the table. Any successful connection attempt flushes the IP from the table. A black list table is 
created for each service (telnet, SSH, web). Each table has the size that corresponds to the maximum 
number of sessions for the corresponding service. If the table is full, any extra connection is rejected 
immediately without even offering authentication. 


The services that have been blacklisted are stored in two circular log files called blacklisti.log & 
blacklist2.log; each file is limited to 70 lines. 


To display the services that have been blacklisted, use the following command in global mode: 
CLI> show blacklist log 





Date | Service | IP Address 





2009.03.17 09:41:03 Telnet 192.168.1.2 
2009.03.17 09:42:37 Tshell 192.168.1.9 


2009.03.17 10:40:34 Tshell n/a 


| | 
| | 
2009.03.17 09:52:52 | Tshell | V921:68:.1. 7 
| | 
2009.03.17 15:31:51 | T | 192.168.1.9 





To display, for a particular service, the currently blocked connections, use the following command: 
CLI> show blacklist { console | tshell | telnet, | ssh | http-server } 








IP Address Attempt Count 
1.92)-1:68:. 1 37) 2 
192.168.1.9 3 (blocked) 
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4 CONFIGURATION &€ STATISTICS 
4.1 LAN CONFIGURATION 
The OneOS-based routers have several Ethernet ports. Here are the guidelines to understand port 
numbering. 
The basic syntax to enter the interface configuration mode is: interface FastEthernet 
<module>/<port>. 
Product Ethernet Port Port Designation 
ONE10 Basic configuration: 4 x Ethernet 10/100 FastEthernet 0/0 up to 0/3 
ONE30 Basic configuration: 4 x Ethernet 10/100 FastEthernet 0/0 up to 0/3 
ONE20/100 | Basic configuration: 4 x Ethernet 10/100 FastEthernet 0/0 up to 0/3 
ONE20D/M F : : FastEthernet 0/0 up to 0/3 
B f : Eth t 10/100 
ONE obiay ane Eines FastEthernet 1/0 (far-left) (*) 
Basic configuration Ethernet 10/100 
(on the left when facing device back panel) Paste niennen ure 
ONE60/200 aide 7 (next on the left after the standalone Ethernet) 
4 x 10/100 Ethernet (Option) FastEthernet 0/3 
FastEthernet 0/4 (far-right) 
Ethernet 10 (Basic configuration) Ethernet 0 
Ethernet 10/100 (Basic configuration) FastEthernet 0/0 (Disabled if the 4 x 10/100 module is added) 
FastEthernet 0/1 (on the left when facing the device back panel) 
ONE400 FastEthernet 0/2 
4 x 10/100 Ethernet Module FastEthernet 0/3 
FastEthernet 0/4 (far-right) 
Single Ethernet 10/100 Uplink FastEthernet 1/0 

















(*) This interface FastEthernet only supports the 100 Mbps full-duplex operations in auto-sense mode. If 
connected in 10 Mbps or half-duplex, this interface will not connect. The problem can appear mostly with 
devices forced in such modes or with old Ethernet hubs. 
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When the FastEthernet interface is in auto-sensing mode, the interface attempts to negotiate the fastest 
mode for transmitting over the Ethernet. If the remote equipment connected to the fast Ethernet interface 
of an OneOS-based router has enabled negotiation, full-duplex and 100 Mbps are preferred. 


You can force the Fast Ethernet interface to use a specified mode as follows: 
CLI (configure)> interface fastethernet <module>/<port> 
CLI (config-if)> duplex { full | half | auto } 
CLI (config-if)> speed { auto | 10 | 100 } 

If the remote port does not negotiate, there are two cases to consider: 


e With a module without switch: if no mode is forced, the device uses the most conservative mode (half 
duplex) and the locally measured speed is chosen (10 or 100). If the duplex mode and speed are 
forced, the configured parameters are used. 


e With a module with switch: the negotiation must be disabled to make the FastEthernet complete its 
configuration. If no mode is forced, the device uses the most conservative mode (half duplex) and the 
locally measured speed is chosen (10 or 100). 


CLI (config-if)> no negotiation 


To re-enable auto-negotiation: 


CLI (config-if)> negotiation auto 


The default values are: duplex auto, speed auto, negotiated. 


In some cases, it is desirable to force the FastEthernet port in status ‘up’, although no cable is connected. 
This permits the testing of some functions (e.g. routing) before connecting the router to a live customer 
network. 


The command is the following: 


CLI(config-if)> [no] keepalive 


The IP address is set as follows: 


CLI (config-if)> [no] ip address <AA.BB.CC.DD> <mask> [secondary] 


The interface supports an unlimited number of secondary interfaces. 
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4.2 


4.2.1 


WIRELESS LAN 


Introduction 
The purpose of this introduction is to give an overview of wireless LAN networks (WLAN) and a tutorial 
about associated protocols. 


The diagram below represents the different elements of the WLAN protocol: 


Link Layer 


Station Packet Encryption, 
Authentication Authentication 


Medium Access Control 


Radio Layer 





Figure 1. 802.11 Protocol Stack 


The 802.11 WLAN standards are made up of standards for data transmission over a radio medium and 
protocols using this medium. Overview of each functional block: 


e Radio layer: this layer transports WLAN frames over a wireless medium and converts the bit stream 
into an analog signal. Two standards are available in the OneOS-based routers: 802.11b and 802.11g 
that support transmit rates up to 54 Mbps. 


e Medium Access Control (MAC): the MAC layer determines how packets are formatted and sent over 
the air. Because the air interface is a shared medium, the MAC layer uses a transmission technique 
that selects which WLAN station can emit so that collisions are avoided. 


e Station authentication: to avoid any WLAN station to participate to a WLAN network, they must first 
be authenticated. 


e Packet encryption/authentication: packets can be encrypted and sent with a digital signature, so 
that packets cannot be read by any intruder, modified or emitted by a user spoofing the identity of 
another user. 


The OneOS-based routers offer a WLAN access point (AP) service (except ONE30/60/200/400 and 
ONECell25). In this topology, WLAN clients (laptops, desktops, PDA...) are member of a BSS (Basic 
Service Set). A BSS is workgroup, where WLAN clients communicate with each other via an Access Point 
(AP). All frames must transit through the AP. The AP sends periodically the beacon frame that contains the 
accepted transmit-rates and serves as synchronization frame for WLAN clients. 


The BSS is identified by a string called SSID (Service Set Identifier). AP and WLAN clients must use the 
same SSID to be able to communicate with each other. We can make the analogy of SSID being a VLAN 
in the wireless world: it provides a virtual separation of WLAN networks. An AP supporting multiple SSID 
can be viewed as multiple virtual AP. As WLAN clients "see" multiple AP, all protocol elements of an AP 
must be replicated (e.g. an AP with multi-SSID sends one beacon frame per SSID). All OneAccess routers 
support the multi-SSID capability. An application case for multiple SSID is the following: a company 
reserves a SSID for its internal use (access to a Microsoft network and sensitive servers) and another 
SSID for guest access (visitors can connect to the Internet while not having access to enterprise data 
resources). 
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Figure 2. Multi-SSID Application Case 


In order for a WLAN station to attach to the access point, it must go through several steps: 


e Detection of the access point: the WLAN client detects the channel on which the access point is 
emitting. The client also may detect the SSID of the available AP. 


e Association: When a client starts, a probe request is sent out with its SSID. If the SSID corresponds 
to the AP’s SSID, the AP sends a response that contains its capabilities (especially supported rates). 
Then, the client sends an association request to the selected AP and must authenticate. 


e Authentication: the WLAN standards define several authentication types. The client must be 
configured in a compatible mode with the AP. The simplest form is the "Open" authentication where 
actually no authentication takes place. A more advanced authentication scheme is WPA-PSK 
(Wireless Protected Access - Pre-Shared Key), where a pre-shared key enables strong authentication 
and is the basis for deriving an encryption key. The last authentication type is 802.1X (or simply called 
WPA). 


Encryption 


Once authentication has succeeded, the communication between the AP and the WLAN station can be 
encrypted. The encryption depends on the authentication type: 


e Open: no encryption or WEP encryption (Wired Equivalent Privacy). WEP uses a static key that is 40 
or 128 bits long. 


e WPA-PSK: WEP cannot be used, but rather TKIP or AES-CCMP. Both algorithms use a Primary 
Master Key (PMK) derived from authentication as a seed to initiate an encrypted communication 
channel between the AP and the WLAN client. 


e 802.1X: only TKIP or AES-CCMP, where a PMK derived from authentication is used as a seed for 
encryption initiation. 


TKIP (Temporal Key Integrity Protocol) was designed to replace WEP, to provide robust security without 
replacing legacy hardware. For this reason, TKIP re-use the same WEP encryption hardware: a key 
scheme based on RC4 is used, but unlike WEP, it encrypts every packet with its own unique (WEP) 
encryption key: a temporal key is generated for every sent packet that is derived from the previous 
temporal keys. The initialization vector (IV) is hashed instead of being sent in clear text, thus addressing 
one of the largest WEP security flaws. TKIP provides per-packet key mixing, a message integrity check 
(MIC) and a re-keying mechanism, thus addressing other security issues with WEP. 


CCMP is built on the Advanced Encryption Standard (AES), which provides high encryption security. The 
CCMP guaranties packet integrity and authentication. Overall TKIP and AES-CCMP provide equal security 
robustness. 
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Authentication using 802.1X 


802.1X relies on the EAP protocol (Extensible Authentication Protocol, RFC3748) that permits the 
authentication of clients to unblock a port. EAP can run theoretically over multiple media including wired 
Ethernet and WLAN (In OneOS, EAP can only be applied on a WLAN interface). Three main components 
are found in the EAP protocol: 


e  Supplicant: typically the WLAN client that initiates the authentication process. 
e  Authenticator: typically the AP. It relays authentication requests to the authentication server. 


e Authentication server: the server effectively terminates the EAP session. If authentication is 
successful, the Authentication server passes encryption keys to the Authenticator so that an encrypted 
communication can take place between the AP and the WLAN client. The authentication server is an 
AAA RADIUS server. The authenticator relays EAP requests encapsulated in RADIUS packets. 
Therefore, the authentication server is a RADIUS server that must support EAP protocol extensions. 


EAP over LAN (EAPOL) is referred to as the 802.1X standard. EAP has a special protocol ID that 
differentiates EAP from other protocols (such as IP, IPX...) in LAN/WLAN headers. 


EAP is actually a container protocol that in turn supports multiple authentication protocol (EAP-TLS, 
PEAP...). The layered architecture is provided below: 


EAP-SIM PEAP EAP-TLS EAP-PSK 


EAP 


: 
E 
a 


802.1X 


802.3 Ethernet 802.11 WLAN 


a 


Figure 3. EAP and encapsulation layers 


The EAP protocol provides a generic request-response framework. The authentication actually takes place 
within a protocol encapsulated in EAP. When EAP starts, the user must provide its identity. Upon the 
initiative of the RADIUS server, authentication starts. The RADIUS server sends challenges and expects 
responses, which are then translated to the client EAP-requests/responses. Once the authentication was 
successful, the RADIUS server forwards the Primary Master Key (PMk) to the AP. From the PMK, the AP 
can derive the encryption key to communicate with the client. 


The protocol encapsulated within EAP is rather transparent to the AP. When you configure an OneOS- 
based router to run in WPA mode, you can configure the WLAN clients with PEAP or EAP-TLS. The only 
requirement is that the clients be compatible with the RADIUS server. 


A summary diagram is presented below: 
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Figure 4. EAP Message Flow 


WPAT1.2, WPA2.0 and 802.11i 


WPA (Wireless Protected Access) version 1.2 defines TKIP & MIC algorithm to provide encrypted and 
authenticated traffic between WLAN clients and the AP. Authentication is realized via PSK or 802.1X. 


WPA 2.0 (or 802.11i) requires CCMP (with AES as encryption algorithm) as a means to secure 
communication. 802.11i brings also some improvements to allow faster hand-offs between WLAN cells. 


Wireless for Multi-Media (WMM) 


WMM provides prioritization QoS. It defines four classes called “Access Categories” (AC) derived from 
IEEE 802.11d/p standard and improves the original Distributed Coordination Function (DCF) protocol by 
giving priority traffic for each classes (EDCF). The four ACs were designed for specific types of traffic as 
voice, video, best effort and lower priority data. But the network administrator is free to choose which traffic 
should have the appropriate priority. 




















Access Categories CoS Priority (802.1q/p) 

Voice 7,6 Highest priority 
Video 5,4 

Best Effort 0,3 

Background 2,1 Lowest priority 











Wi-Fi QoS prioritizes packets based on DSCP, Precedence, 802.1q/p tag ... by assigning a Layer 2 CoS 
(Classes of Service) value of 1 to 7. The radio maintains four priority queues, one for each Access 
Categories. 


The selection process of AC is made using 3 modes (see dot 11 qos-mapping command): 


e DSCP-based only, this is default behavior: In this mode DSCP value is mapped to CoS value which in 
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turn is mapped to an AC. The default mapping is as follows: 























DSCP Value CoS Value 
46 6 
34 4 
others 0 (no CoS) 
The DSCP mapping is configurable (see dot11 qos dscp-cos-mapping command). All possible 


DSCP values can be mapped to an appropriate CoS value, which in turn is mapped to an AC. 


e CoS-based value only: In this mode the current CoS value is mapped to an AC. Previous CoS value 
may result from a “match/set” done at the input interface. 


e Based on CoS value and (if CoS not set) based on DSCP: In this mode, if the current CoS value is 
set, it is mapped to an AC, otherwise the DSCP value is used, mapped to a CoS value (using default 
mapping or the defined mapping), which in turn is mapped to an AC. 


Enhanced DCF (EDCF) provides differentiate Distributed Coordination Function (DCF) access to the 
Access Categories. EDCF have an algorithm to resolve collision among different queues, which select the 
packet with the higher priority to transmit. 


The collision algorithm uses the Contention Window (CW) and the minimum interframe space (AIFSN) 
parameters to prioritize the traffic. These parameters are defined for each AC. A backoff timer is calculated 
from a random value ranging from zero to a current CW (CW value is set initially to CWmin). If a collision is 
detected, the CW is doubled and a new random value is calculated thus resulting in a new backoff timer. 
The CW is doubled until a maximum CW value (the CWmax depends on the AC). After successful 
transmission, the CW is set again to CWmin. The highest priority queues have got short backoff times, CW 
and AIFSN. When the transmission becomes successful, the backoff timer is reset to the initial value. 


Two set of values are used based on WMM Specification 1.1 rules and/or values. 


The first_set_of values is applied by the AP for frames sent by the AP to wireless stations. These 


parameters are set using the CLI command “dot11 qos class ...”. 


CWmax 








Voice 


Video 


Best Effort 


Background 
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Values for the minimum and the maximum contention window (CW), and the slot time follow the rules 
defined by Table 15 of WMM Specification version 1.1. OneOS specifies: 

















CWmin = 15 

CWmax = 1023 

So that the equivalent Table 15 for OneOS-based routers is the following: 
Queue Priority Fixed slot time CWmin CWmax 

Number 

Voice 1 3 7 
Video 1 7 15 
Best-Effort 3 15 63 
Background 7 15 1023 




















The second set of values is advertised from AP to wireless stations using the WMM Parameters Element 
IE provided in Beacon frames, Probe Response frames and Association Responses frames for QoS-STA. 


These parameters are set using the CLI command “dot11 qos class-bss ..”. 


Values for the minimum and the maximum contention window (CW), and the slot time follow the rules 
enacted by WMM Specification version 1.1 -Table 13. OneOS specifies: 


CWmin = 15 
CWmax = 1023 


So that the equivalent Table 13 for OneOS-based routers is the following: 




















Queue Priority Fixed slot time CW min CW max 
Number 

Voice 2 3 7 

Video 2 7 15 

Best-Effort 3 15 1023 

Background 7 15 1023 

















Wireless for Multi-Media Power-Save (WMM Power-Save) 


The WMM power-save procedures are based on the legacy procedures, but an option for Unscheduled 
Automatic Power-Save Delivery (U-APSD) is added. U-APSD is a solution well suited to the dynamic 
environments where Wi-Fi is typically deployed and allows the client to download all or some of the frames 
buffered by the access point during unscheduled Service Periods. 


When enabled, U-APSD feature is negotiated with Wi-Fi stations during the association with the AP. 
Disabling U-APSD implies the use of the legacy procedures. 


4.2.2 WiFi extend Coverage 


WiFi is ubiquitous in the enterprise since PCs, PDA and smart phones now embed WiFi clients. In some 
cases the access router provides the WiFi access point feature (as for example in the OneOS-based router 
range), but the location of the access router or the size of the office could not allow covering the full 
geographical area. Adding one or more access points to have a full coverage is the solution but the 
management of all these access points may rapidly turn in a nightmare. 


The Access Point Controller (APC) is the software application included in OneOS that allow configuration 
and management in a centralized way of all the access points (AP). APC software and ONEAir1 AP 
together build the OneAccess WiFi extent coverage solution. 


ONEAir1 are business class 802.11 b/g WiFi access points. Compact and powerful ONEAir1 embeds 
enhanced features as Multi SSID (up to 4), VLAN and WMM/QOS management. Thanks to the Access 
Point Controller the ONEAir1 are associated to the OneOS-based router building so a secured WiFi 
Network. Up to 16 AP can be associated to the OneOS-based router. 
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The main functions of the APC are: 

e Secured association with ONEAir1 AP. 

e AP automatic firmware and configuration update. 
e Centralized management of AP. 

e AP configuration profile management. 


e AP and WiFi client statistics collector. 


4.2.3 Configuring WLAN 


You must first configure the SSID logical sub-interfaces. Then, you can configure the dot11radio physical 
interface. 


Note that the overall number of associated WLAN clients with OneAccess AP cannot exceed 31 clients. 
4.2.3.1 SSID Settings 
4.2.3.1.1 Common SSID Parameters 


By default, the access point indicates the SSID name in the beacon frame. WLAN clients scan the air and 
thereby get the list of SSID and AP, which they can associate with. This mode is referred to as SSID 
broadcasting or guest mode (because guest clients are invited to associate to advertised SSIDs). For 
security reasons, it is desirable to disable the guest-mode: 


CLI (configure)> interface dotllradio 0/0.<id> 
CLI (config-if)> ssid <ssid-name> 
CLI (config-ssid)> no guest-—mode 





Default: guest-mode. 


On SSID using WPA or WPA-PSK authentication, the key for broadcast frames has to be refreshed 
periodically by performing a key rotation. The broadcast key is rotated every 1800 sec by default. Enter the 
following command to change the rotation period (in seconds): 


CLI (configure)> interface dotlliradio 0/0.<id> 

CLI (config-if)> ssid <ssid-name> 

CLI (config-ssid)> broadcast-key change <30-100000000> 
The default period is set as follows: 

CLI (config-ssid)> default broadcast-key 
Intra-SSID filtering: in some cases, it is required to forbid a user attached to the AP to communicate with 
another user connected to the same AP. This can be required when you want that all packets first go 


through a firewall before being forwarded to another destination. This filtering type is always active (default 
is ‘no intraforwarding’) but can be disabled with the intraforwarding command. 


CLI (config-ssid)> [no] intraforwarding 
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The number of associated clients can be controlled in order to preserve throughput performance within a 
radio cell. By default, up to 255 associations are allowed; the number of associations can be reduced by 
means of the next command: 


CLI (config-ssid)> max-associations <1-255> 


4.2.3.1.2 Open Authentication without Encryption 


In this mode, no encryption and no authentication are activated. The configuration is fairly straightforward. 
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interface dotlilradio 0/0.<unit> 

ssid <ssid-name> 

authentication open 

encryption none 

exit 

ip address {<a.b.c.d> <mask> [secondary] | dhcp } 


4.2.3.1.3 Open Authentication with WEP Encryption 


In this mode, encryption is done via WEP key(s). You can define up to 4 keys; so 4 different users have 
their personal keys. With open authentication, actually, no authentication is done. The WEP key length can 
be 40, 104 or 128 bits long (respectively: 5, 13 or 16 characters long). Every key is registered in a key slot 
(ranging from 1 to 4) of the WLAN hardware. Keys are global to the AP, which means they are shared 
among the different SSID. That is the reason why only the default WEP keys are defined under each SSID 
and WEP keys are configured globally under the dot11radio 0/0 interface (see 4.2.3.1.6). 
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With WEP encryption, you 
configured on the AP and WLAN client. However, this mode is not recommended, as it is very easy for a 
hacker to derive the WEP key from authentication messages. The shared key authentication is enabled as 


follows: 


interface dotlilradio 0/0.<unit> 

ssid <ssid-name> 

authentication open 

encryption { wep40 | wep104 | wep128 } 
default-key <1-4> 

exit 

ip address {<a.b.c.d> <mask> [secondary] | dhcp } 


can force authentication whereby it is verified that the same shared key is 


CLI (configure)> interface dotllradio 0/0.<unit> 
CLI (config-if)> ssid <ssid-name> 
CLI (conf-ssid)> authentication shared 


Note: one must shutdown the interface when changing any authentication or encryption parameter. 


4.2.3.1.4 WPA-PSK or WPA2-PSK 


In this mode, encryption is done via TKIP or AES-CCMP. You need to select the encryption mode and the 


pre-shared key. 


CLI (configure 
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CLI (conf-ssid 
CLI (conf-ssid 
CLI (conf-ssid 
CLI (conf-ssid 
CLI (config-if 
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)> 
)> 
)> 
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)> 


interface dotllradio 0/0.<unit> 

ssid <ssid-name> 

authentication { wpa-psk | wpa2-psk } 

encryption { tkip | aes-ccmp } 

passphrase <psk-string> 

exit 

ip address {<a.b.c.d> <mask> [secondary] | dhcp } 


The psk-string Is a string of up to 63 characters. 


To remove the passphrase, use the no passphrase command. 


Note: one must shutdown the interface when changing any authentication or encryption parameter. 
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4.2.3.1.5  802.1X 


802.1X requires that all EAP frames be forwarded to a RADIUS server. Before configuring the 802.1X 
authentication mode, you must first configure the RADIUS servers dedicated to 802.1X authentication 
within an AAA group. An AAA group is configured as follows: 1) Configure some RADIUS servers. 2) 
Attach them inside an AAA group. Please refer to the AAA section for more information (see 3.21.3). 


Declaration of a RADIUS server: 
CLI (configure)> radius-server <ip-address> <key> [<port>] [ <source- 
interface> <source-if-unit> ] 
Attachment of a RADIUS server to an AAA group: 


CLI (configure)> aaa group server radius <group-—name> 
CLI (config-sg-radius)> radius <server-—ip-address> 





Example: 


radius-server 10.0.0.200 shared_secret 1812 
aaa group server radius eap_radius 

server 10.0.0.200 
exit 


If several servers are defined, OneOS will always contact the last RADIUS server in the list. 


Then, you can configure the SSID with the required encryption algorithm and associate the RADIUS server 
group. 


CLI (configure)> interface dotllradio 0/0.<unit> 

CLI (config-if)> ssid <ssid-name> 

CLI (conf-ssid)> authentication { wpa | wpa2 } <radius-aaa-group> 
CLI (conf-ssid)> encryption { tkip | aes-ccmp } 

CLI (conf-ssid)> exit 

CLI (config-if)> ip address {<a.b.c.d> <mask> [secondary] | dhcp } 


Note: one must shutdown the interface when changing any authentication or encryption parameter. 


4.2.3.1.6 | Global Interface Settings 


WEP keys are defined under the interface: 


CLI (config-if)> key-value <slot> <key-string> 


Reminder: The WEP key length can be 40, 104 or 128 bits long (respectively: 5, 13 or 16 characters long). 


When you have completed the doti1radio 0/0 configuration, you must enter the 'no shutdown' 
command. The ‘no shutdown’ command activates the radio interface, which is ‘shutdown’ by default. 


CLI (config-if)> no shutdown 


Limiting the transmit-power of the AP is necessary if interferences between neighboring cells must be 
reduced. The default transmit-power is set to its legal maximum: 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> default power local 
CLI (config-if)> power local { full | min | half | quarter | eighth } 


By default, the AP accepts client association running in 802.11b or 802.11g. The client associations can be 
filtered by using the command “mode”. This command is used to set the BBS Basic Rate Set and the 
Operational Rate Set as specified by the 802.11 standard. A client must support all Basic Rates to be 
associated with the AP. The mode is common to all SSID. The command “mode” accepts two arguments, 
first one is mandatory and second one is optional. 


CLI (configure)> interface dotllradio 0/0 

CLI (config-if)> mode { 11b [11-only | 11b-only] 
| Llborlig [ll-only | 11b-only | 11b-and-llg | 11lg-only] 
| 11g [11g-only] } 


The different modes are summarized in the following table, rates are in Mbps. 
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Optional 11b- 11b- = 
parameter only only | 11b-and-11g ae l peas = 
to set =default =default y 


4 1,2,5.5, 1,2,5.5, 1,2,5.5,11 
BAleen ies ia 


1,2,5.5,11 1,2,5.5,11 
1,2,5.5,11 6,9,12 6,9,12 
18,24,36,48,54 18,24,36,48,54 


STA mode 

802.11b] 802.11b| 802.11b| 802.11b 
ableto | g02141g| 80211g] 80211g| 80211g| 802-119 | 802119}  802.11g 
associate 


Note that some combinations are equivalent. 


Operational 
rates 





The transmission rate is selected dynamically using a rate control algorithm. Also the transmission rate can 
be forced to a specific value using the command “speed”. Setting a speed value forces the transmission 
rate of all frames except control frames (ACK, RTS, CTS, PS-Poll) and Beacon frames. The rate control 
algorithm is then disabled so that first frame is always transmitted at this rate, but if this frame is not 
acknowledged, it can be retransmitted with a lower rate. Allowed values for this parameter depend on the 
mode as described previously. In “mode 11b” only values 1, 2, 5.5 and 11 are available. The argument 
“best” enables the rate control algorithm and is the default behavior. When the user changes the mode, the 
“speed” parameter is reset to default value, regardless of old “speed” parameter. 


CLI (configure)> interface dotllradio 0/0 
CLI (config-ssid)> speed {1.2 | 5.5 | 11 | 6 | 9 | 12 | 18 | 24 | 36 | 48 
| 54 | best } 





The number of associated clients can be controlled in order to preserve throughput performance within a 
radio cell. By default, up to 255 associations are allowed; the number of associations can be reduced by 
means of the next command: 


CLI (configure)> interface dotllradio 0/0 
CLI (config-ssid)> max-radio-associations <1-255> 





The radio channel is selected within the 2.4 GHz band. The radio channel is selected as the channel 
number (ranging from 1 to 13) or as the frequency (from 2,412 to 2,472 MHz). Be aware that not all 
channels are authorized by regulation authorities where the product is installed. For your information, all 13 
channels are authorized within EMEA except France. To force the regulatory domain, use the command 
dot11 location ... (see next section). To force the channel: 


CLI (configure)> interface dotllradio 0/0 
CLI(config-if)> channel { <1..13> | 2412 | 2417 | ... | 2472} 





channel 11 is the default behavior. It scans all channels. If the two optional parameters are provided, 
the scanning is done between those two channel frequencies. If the channel determined as best is the 
currently selected one, the AP switches to the 2™ best channel. This is to force the AP to switch between 
channels. If you want to restart channel scanning, enter the command dot11 restart. 


You can select the preferred mode when the AP is equipped with 2 antennas. The default mode (antenna 
diversity) is recommended, because it dynamically selects the antenna providing highest performance. 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> antenna select { left | right | diversity } 





Clear Channel Assessment (CCA) threshold is specified to be -62 dBm to meet IEEE 802.11 specification. 
The next command allows increasing this threshold in some noisy environments where channel is 
considered busy without any 802.11 valid frames. You should keep the default CCA value unless you 
notice that the channel is busy although there is no traffic (idle activity should be less than 4% in show 
dotl1l channel-activity). Having an idle channel detected as busy can result in bad throughput 
performance. However, do not set CCA to a high value as it degrades reach (stations far from the AP send 
with a weak signal; the received signal can be weak enough to be under CCA threshold). 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> cca <-62..0> 





Page 4.2-115 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


The beacon period is the time interval between two consecutive beacon frames. 


CLI (config-if)> beacon period <20-1000> 


The default beacon period is configured in milliseconds. Default is 100 msec. To restore the default 
beacon period: 


CLI (config-if)> default beacon period 


Some optimizations have been brought to the 802.11 protocol in order to maximize autonomy of battery- 
powered devices such as WLAN mobile phones. The DTIM field in the beacon frame (Delivery Traffic 
Indication Map) indicates whether there are some packets waiting to be sent to a power-saving device. 
The DTIM count provides the periodicity after which the power-saving device should wake up, examine the 
beacon frame and sleep again if there are no frames addressed to the device. By default, the DTIM count 
is 2, i.e. the DTIM field is included in the beacon frame in every 2 beacon frames. To override the default 
DTIM count: 


CLI (config-if)> beacon dtim <1-100> 


To restore the default DTIM count: 





CLI (config-if)> default beacon dtim 


The RTS threshold is the quantity of data that must be accumulated for sending within the AP before trying 
to request access to medium (i.e. sending a Request-To-Send -RTS- frame). Setting a short RTS 
threshold is often beneficial to throughput, as small packets do not have to wait unnecessarily. RTS 
threshold = 0 provides the best performance with one WLAN station and AP for TCP-based flows (as TCP 
ACK are sent without waiting, TCP flow control increases the emission rate). Setting a high threshold is 
recommended when the traffic profile is verbose and bursty (ex: on a bridge AP). To set the RTS threshold 
(in bytes, default value 2347 bytes): 


CLI (config-if)> default rts threshold 
CLI (config-if)> rts threshold <0-2347> 


The fragmentation threshold is the maximum frame size emitted on the WLAN medium, resulting of the 
fragmentation of a packet. A high fragmentation threshold is recommended if you want the best throughput 
whereas a low fragmentation threshold is recommended if you want the best reach (fragmentation 
improves robustness towards a high bit error ratio, but adds protocol overhead). To set the fragmentation 
threshold (in bytes) and set the default value (2346 bytes): 


CLI (config-if)> fragmentation-threshold <256-2346> 
CLI (config-if)> default fragmentation-threshold 


Source MAC address filtering (Station filtering): it might be desirable to accept frames only from selected 
stations (i.e. received frames with certain MAC source addresses). In some other cases, it may be useful 
to ban a user (i.e. only drop frames with certain source MAC addresses). By default, this mode is always 
activated. 


For filtering configuration, first enter in SSID configuration mode: 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> 





For source MAC address filtering, the filtering mode must be selected. If the mode is allow (default), you 
will then enter the list of client MAC addresses, which are allowed to connect to AP. If the mode is deny, 
you will then enter the list of client MAC addresses, which are NOT allowed to connect to AP. To disable 
such filtering please enter the mode none. The MAC addresses are entered by means of the acl-add 
command (respectively removed by acl-del). An optional alias name can be associated to the MAC 
address to facilitate the understanding of the result of the debug and show commands (see 4.2.4). 


CLI (config-if)> acl-mode { allow | deny | none } 
CLI (config-if)> acl-add <AA>:<BB>:<CC>:<DD>:<EE>:<FF> [alias <alias>] 
CLI (config-if)> acl-del <AA>:<BB>:<CC>:<DD>:<EE>:<FF> 




















4.2.3.2 WMM and U-APSD Parameters 


The “QoS WMM” and the "Power-Save mode" functionalities are configured inside “interface 
dot11lradio” configuration mode. 


To enable “QoS WMM’” (with or without U-APSD): 
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CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> dot11 qos wmm [uapsd] 





Note: to apply this change one must reboot the equipment after having saved the configuration. 
To disable U-APSD: 

CLI (configure)> interface dotllradio 0/0 

CLI (config-if)> no dot1l qos wmm uapsd 
To disable "QoS WMM": 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> no dot1l qos wmm 


“ 


The configuration of access categories queues parameters for the AP is done inside “interface 
dot1llradio” configuration mode. For each AC, an intermediate node is used to configure queues 
parameters. To enter in an AC intermediate node: 


CLI (configure)> interface dotllradio 0/0 
CLI (config-if)> dot1l1l qos [class | class-bss] [background | best-effort 
| video | voice] 
To configure a Contention Window min: 
CLI (config-if)> dot1l1l qos [class | class-bss] {background | best-effort 
| video | voice} cw-min <min-value> 
To restore the default Contention Window min: 
CLI (config-if)> dot1l1l qos [class | class-bss] [background | best-effort 
| video | voice] 
CLI (qos)> no cw-min 
To configure a Contention Window max: 
CLI (config-if)> dot1l1l qos [class | class-bss] {background | best-effort 
| video | voice} cw-max <max-value> 
To come back to the default Contention Window max: 
CLI (config-if)> dot1l1l qos [class | class-bss] [background | best-effort 
| video | voice] 
CLI (qos)> no cw-max 
To configure a fixed backoff slot time: 
CLI (config-if)> dot1l1l qos [class | class-bss] {background | best-effort 
| video | voice} fixed-slot <slot-value> 
To restore the default fixed backoff slot time: 


CLI (config-if)> dot1l qos [class | class-bss] [background | best-effort 
| video | voice] 
CLI (qos)> no fixed-slot 


To configure a transmit opportunity in usec: 





CLI (config-if)> dot1l qos [class | class-bss] {background | best-effort 
| video | voice} transmit-op < value> 
To restore the default transmit opportunity in usec: 


CLI (config-if)> dot1l qos [class | class-bss] [background | best-effort 
| video | voice] 





CLI (qos)> no transmit-—op 
The AC selection mode defines if the AC is selected from CoS value, DSCP or both. By default, the AC is 
taken from the DSCP value. To configure the AC selection mode: 


CLI (config-if)> dot1l qos mapping-mode [dscp|cos|both] 
CLI (config-if)> no dot1l qos mapping-mode 
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To configure the DSCP explicit mapping to CoS (in DSCP mapping-mode) 


CLI (config-if)> dot1ll qos dscp-cos-mapping 
CLI (dscp-qos-mapping)> dsep <dscp-value> cos <0-7> 


4.2.3.3 Global 802.11 Parameters 


The radio working mode is "plug and play". The AP auto-detects free channels and configures the transmit 
power (max. 18 dB, bit rate dependent). A country code is used to identify the regulatory domain. Both 
regulatory domain and wireless mode (802.11b or 802.11g) are used to build the channel list by scanning 
the regulatory domain table and pick up the channels with matching wireless modes. To set the ISO 
country code: 


CLI (configure)> dot11 location isoce <country-code> 
The country-code is ISO encoded country code: fr, us, gb, ch, es, pl, nl, de... You will find the 
exact country list by entering the show dot11 country table command. 


When TKIP is activated on a SSID, MIC (Message Integrity Check) verifies received packet integrity. If 
2 MIC integrity check failures are observed within 60 seconds, the station is de-associated and its key is 
dropped. As a counter measure, the corresponding WLAN station is held off for the hold-off period, 
which 60 seconds is by default: 


CLI (configure)> dot1l1l tkip-countermeasure <hold-off-—in-seconds> 


To reset the default hold-off time: 





CLI (configure) > dot11l tkip-countermeasure 


The dot1x client timeout parameter is the amount of time that the AP waits for the client to answer to EAP 
messages. Otherwise, the EAP negotiation fails. 


CLI (configure) > dot1lx client-timeout <seconds> 


To reset the default value (30 seconds): 





CLI (configure)> dotlx client-timeout 


The dot1x server timeout parameter is the amount of time that the AP waits for the server to answer to 
EAP messages. Otherwise, the EAP negotiation fails. 


CLI (configure)> dotlx server-timeout <seconds> 


To reset the default value (3 seconds): 





CLI (configure)> dotlx server-timeout 


The reauthentication period is the time interval in seconds between which a client must re-authenticate to 
the server to negotiate a new master key: 


CLI (configure)> dotlx reauth-period <30-4294967295> 


By default, reauthentication takes place every 60 seconds; to restore the default value: 





CLI (configure)> dotlx reauth-period 

The aging parameter determines the time period after which an inactive station is disassociated by the AP. 

By default, an inactive station is disassociated after 300 seconds. To change this aging period in seconds: 
CLI (configure)> dot1ll aging-timer <10..3600> 

An aging period below 120 seconds must not be used unless it is for test purposes. The accuracy of this 

aging timer is 60 seconds: the association table is scanned every minute. Stations whose inactivity period 


is greater than the aging timer are disassociated. In other words, in the worst case, the inactive stations is 
dissaciated after (aging-timer + 60) seconds. 
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4.2.3.4 Configuration Examples 


WPA-PSK: 


configure terminal 

interface dotllradio 0/0.1 

ssid hotspotl 

authentication wpa-psk 

passphrase 0A112233445566 

intraforwarding 

exit 

ip address 192.168.0.1 255.255.255.0 
exit 


interface dotllradio 0/0 
acl-mode allow 

acl-add 00:12:17:98:81:9d 
no shutdown 

exit 


Open Mode: 


configure terminal 

interface dotllradio 0/0.1 
ssid hotspot2 
authentication open 
encryption none 
intraforwarding 

exit 

ip address 192.168.0.1 255.255.255.0 

exit 

interface dotlilradio 0/0 
acl-mode allow 

acl-add 00:12:17:98:81:9d 
no shutdown 

exit 


WEP, 40-bit-long Key: 


configure terminal 

interface dotllradio 0/0.1 
ssid hotspot3 
authentication open 
encryption wep40 
default-key 1 
intraforwarding 

exit 

ip address 192.168.0.1 255.255.255.0 

exit 

interface dotllradio 0/0 
acl-mode allow 

acl-add 00:12:17:98:81:9d 
key-value 1 abcde 

no shutdown 

exit 


802.1X: 


configure terminal 
radius-server 10.0.0.200 shared_secret 1812 
aaa group server radius eap_radius 
server 10.0.0.200 
exit 
interface dotllradio 0/0.1 
ssid hotspot4 
authentication wpa eap_radius 
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4.2.3.5 


encryption tkip 
intraforwarding 
exit 
ip address 192.168.0.1 255.255.255.0 
exit 
interface dotllradio 0/0 
acl-mode allow 
acl-add 00:12:17:98:81:9d 
no shutdown 
exit 


Configuring Bridging on a WLAN Interface 


If you wish a WLAN client to access a Microsoft Network on the wired LAN (to access shared directories or 
a printer), the solution is that the WLAN interface and the LAN interface be managed within the same IP 
network. Furthermore, MAC frames must be bridged (without IP routing) from WLAN to LAN and vice 


versa. 


In order to activate bridging, you must declare a bridge virtual interface (BVI) and attach it to the LAN and 
WLAN sub-interfaces. Full details on BVI are in 4.11.2. 


The BVI interface is declared as follows: 


Then, attach the same bridge-id under LAN and WLAN sub-interfaces: 


CLI (configure)> interface bvi <id> 

CLI (config-if)> ip address <ip> <mask> 
CLI (config-if)> bridge-group <bridge-id> 
CLI (config-if)> exit 





interface dotllradio 0/0.<id> 
bridge-group <bridge-id> 

exit 

interface fastEthernet 0/0 
bridge-group <bridge-id> 

exit 


LI (configure 
CLI (config-if 
CLI (config-if 
CLI (configure 
CLI (config-if 
CLI (config-if 





\> 
)> 
)> 
)> 
)> 
}> 


Example: 


4.2.3.6 


interface bvi 1 

ip address 192.168.1.1 255.255.255.0 
bridge-group 101 

exit 

interface fastethernet 0 
bridge-group 101 

exit 

interface dotllradio 0/0.1 
ssid hotspot3 
intraforwarding 
authentication open 
encryption wep40 
default-key 1 

exit 

bridge-group 101 

exit 

interface dotlilradio 0/0 
acl-mode allow 

acl-add 00:12:17:98:81:9d 
key-value 1 abcde 

no shutdown 

exit 


Configuring a native VLAN on a WLAN Interface 


To bridge the data traffic between the radio interface and a VLAN interface (FastEthernet or ATM or ...), it 
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is necessary to add a native 802.1q header to the packets received on the radio interface, and inversely to 
control and remove an 802.1q header from the packets sent to the radio interface. 


To set an 802.1q VLAN ID and optionally an 802.1q priority, use the following command in logical interface 
level: 


CLI (configure)> interface dotllradio 0/0.<id> 
CLI (config-if)> native-dot1Q <vlan-id> [default-pri <0-7>] 


To remove the native VLAN on the WLAN interface, use the 'no' form of the command: 


CLI (configure)> interface dotllradio 0/0.<id> 
CLI (config-if)> no native-—dot1Q 


4.2.4 Configuring APC 


Note that the APC configuration is only available after having entered, using the sw-right command, the 
license key dedicated to your OneOS-based router and corresponding to the software license you bought 
(APC-8 or APC-16 license). 


To enable the AP controller and enter in APC configuration mode, use the following command in global 
configuration mode. Use the no form of the command to disable the AP controller. 


CLI (configure)> [no] ap-controller 
CLI (config-apc) > 


Warning: disabling the AP controller erases the whole APC configuration including the profile files 
that have been created. 


To define how the APC will manage the configuration of the AP, use the following command in APC mode: 


CLI (config-apc) > provisionning-mode { discover | template | none } 


e none: (default value) the same configuration is sent to all the AP. This configuration is taken from the 
webroot/bsaStart.cfg file. 


e discover: as the AP are discovered the configuration taken from the webroot /bsaStart.cfg.nn 
file is sent (nn from 01 to 16). 


e template: as the AP are discovered the configuration described in a virtual profile and associated to 
the AP is sent. 


To define a virtual profile that contains the command lines of the configuration to send, use the following 
command in APC configuration mode. Use the no form of the command line to remove the virtual profile. 


CLI (config-apc)> [no] virtual-profile <vitual-profile-name> 
CLI (config-vprofile) > 


The command lines can then be directly entered using the set command and /or taken from a file using 
the source-file command and / or taken from another profile using the source-profile command. 
All entered command lines are gathered in the virtual profile taking into account their sequence-line- 
number in ascending order (use the recount command to renumber the various command lines if 
needed). Use the no form of the commands to remove a command line, a source file or a source profile 
description. 





CLI (config-vprofile 
CLI (config-vprofile 


( > [no] set <sequence-line-number> <command-line> 
( 

CLI (config-vprofile 
( 
( 


> [no] source-file <filename-path> 
> [no] source-profile <vitual-profile-name> 
> exit 


CLI (config-vprofile 
CLI (config-apc) > 


To associate a profile with an AP, use the following command in APC configuration mode. Use the no form 
of the command to remove the association. 


CLI(config-apc)> [no] profile-associate <AP-MAC-addr> <virtual-profile- 
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name> 


To associate a default profile with other AP those have not been explicitly associated use the following 
command in APC configuration mode. Use the no form of the command line to remove the default profile. 


CLI (config-apc)> [no] profile-default <virtual-profile-name> 


The AP controller monitors the presence of the AP using a keepalive method. This keepalive method is 
activated by default and sends a keepalive message every 30 seconds (default value). When an AP does 
not answer to the keepalive message, the APC tries 3 more times (default value) before de-associate the 
AP. The latter will then reboot and re-associate. To modify the default values, use the following commands 
in APC configuration mode: 


CLI (config-apc)> keepalive frequency <15-1200> 
CLI (config-apc)> keepalive retries <2-60> 


To apply the default value again, use the following commands in APC configuration mode: 


CLI (config-apc)> default keepalive frequency 
CLI (config-apc)> default keepalive retries 


To deactivate the keepalive process, use the no form of the command. To re-activate the keepalive 
process with the default values, use the command without parameter. 


CLI (config-apc)> no keepalive 
CLI (config-apc) > keepalive 


To start the AP controller, use the no shutdown command then exit. 


CLI (config-apc)> no shutdown 
CLI (config-apc)> exit 
CLI (configure) > 


Note: as well as for the APC that needs being shutdown to be configured, the AP need also to be 
shutdown to be configured. Think to place the shut down command in the profile to send to the AP. 


An AP updates its software and configuration when it starts, periodically depending on its configuration 
and when it re-associates. To force an AP to update (i.e. getting its configuration from the virtual profile 
that has been created) use the following command in global mode: 


CLI> ap-controller auto-update-start <AP-MAC-addr> 


Example: 


sw-right APC-8 f74a3efcbc3d612064a30£67d7d27£77 
no reboot recovery-on-error 
logging buffered size 16364 
ap-controller 
virtual-profile ADMIN 
set 10 configure terminal 
set 15 hostname oneair 
set 30 interface fastethernet 0/0.2 
set 40 bridge-group 2 
set 50 no ip address 
set 60 encapsulation dotlq 3001 
set 70 exit 
set 80 interface dotllradio 0/0.1 
set 90 bridge-group 2 
set 100 no ip address 
set 110 exit 
set 160 interface bvi 2 
set 170 bridge-group 2 
set 180 exit 
set 190 apc-collector disable 
set 195 exit 
exit 
virtual-profile WIFI 
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source-profile ADMIN 
set 90 configure terminal 
set 100 interface dotllradio 0/0.1 
set 105 shutdown 
set 110 ssid apc_apc 
set 120 authentication wpa-psk 
set 130 encryption tkip 
set 140 passphrase *******kkx* 
set 150 exit 
set 175 no shutdown 
set 180 exit 
set 310 interface dotllradio 0/0 
set 315 shutdown 
set 330 acl-add 00:01:02:03:04:05 
set 340 acl-add 00:02:04:06:08:0a 
set 1400 acl-add ff:ee:dd:cc:bb:aa 
set 1410 acl-add ff£:dd:bb:99:77:55 
set 1420 key-value 1 abcde 
set 1430 dot11 qos wmm 
set 1440 channel least-congested 
set 1450 no shutdown 
set 1460 exit 
set 1470 exit 
exit 
virtual-profile ap_1 
source-profile WIFI 
set 10 configure terminal 
set 20 hostname ap_1 
set 30 interface dotllradio 0/0 
set 40 shutdown 
set 50 channel 1 
set 60 no shutdown 
set 70 exit 
set 80 exit 
exit 
virtual-profile ap_2 
source-profile WIFI 
set 10 configure terminal 
set 20 hostname ap_2 
set 30 interface dotllradio 0/0 
set 40 shutdown 
set 50 channel 6 
set 60 no shutdown 
set 70 exit 
set 80 exit 
exit 
profile-associate 00:11:22:33:44:55 ap_1 
profile-associate Of:0e:0d:0c:0b:0a ap_2 
profile-default WIFI 
provisioning-mode template 
no shutdown 
exit 
hostname apc 
interface FastEthernet 0/3 
ip address 192.168.1.30 255.255.255.0 
exit 
interface Bvi 2 
ip proxy-arp 
ip address 172.17.71.211 255.255.252.0 
encapsulation dot1Q 3001 
bridge-group 2 
exit 
interface FastEthernet 0/0.2 
encapsulation dot1Q 3001 
bridge-group 2 
exit 
interface FastEthernet 1/0.2 
encapsulation dot1Q 3001 native 
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bridge-group 2 
exit 


4.2.5 Debugging and Statistics 


To facilitate the understanding of the result of the following debug and show commands, it is possible to 
associate alias names to the MAC addresses so the alias is displayed instead of the MAC address value. 


To associate an alias name to a MAC address, use the following command in interface dot11radio 
configuration mode (see also the acl-add command). 





CLI (config-if)> dot11 alias set AA:BB:CC:DD:EE:FF <alias> 











To display the SSID using either MAC address value or alias name, use the following command in 
interface dot11radio configuration mode (default ful1l-—mac). 


CLI (config-if)> dot1l1l alias display ssid { full-mac | alias } 
To display a station using full MAC address value or MAC address value with OUI name or alias name, 
use the following command in interface dot11radio configuration mode (default ful1l-—mac). 


CLI (config-if)> dot1l1l alias display station {full-mac | oui-mac | alias} 


To debug WLAN client association and radio layer events, use the following debug command: 
CLI> debug doti1l1 [error <level>] 


To display 802.1X protocol message as well as WPA-PSK traces: 

CLI> debug dot1lx [ aaa | eap | key ] 
To display information sent in beacon frames (if you choose a debug level, be careful: lots of traces are 
generated): 


CLI> debug dot1l beacon <level> 
CLI> no debug doti1l beacon 


To display information about probe frames (if you choose a debug level, be careful: lots of traces are 
generated): 


CLI> debug dot1l1 probe <level> 
CLI> no debug doti1l probe 
To display information about dot11 initialization (displays what happens during ‘no shutdown’): 
CLI> debug doti1l init <level> 
CLI> no debug dot11 init 
To display information about association and authentication: 
CLI> debug dot11 mgt <level> 
CLI> no debug dot11 mgt 
To display all information related to a specific station: 
CLI> debug dot1l station <MAC-address> { all |arp | dhcp | dot1x | errors 


| mgt | power-save | probe } <level> 


CLI> no debug doti1l station [{ all |arp | dhcp | dot1lx | errors 
| mgt | power-save | probe }] 


Active debugs are displayed by show debug and deactivated by no debug. 


To capture the 802.11 frames and to decode frames in Wireshark, the capture utility can be used (refer 
to section 3.15). 


To show the WLAN IP interface configuration: 
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CLI> show ip interface dotllradio 


To show the WLAN IP interface statistics: 





CLI> show interfaces dotllradio 


To display the WLAN configuration: 
CLI> show dot1l config 


To display the list of attached WLAN clients: 


CLI> show dot1l1 association 


To display detailed statistics of attached WLAN clients: 
CLI> show dot11 station 


To display detailed statistics of keys: 
CLI> show dotl1l key 


To display the information contained in beacon frames: 
CLI> show dot1l beacon [0/0.<id>] 


To display the WLAN firmware version: 


CLI> show doti1l version 


To display MAC address cache for MAC authentication and to clear MAC address cache: 


CLI> show dot1l mac-cache 
CLI> clear dot1l mac-cache 


To display information related to a specific SSID: 
CLI> show dot11l radio-interface [0/0.<id>] 


To display QOS WMM information: 
CLI> show doti1l qos 


To display QoS WMM DSCP current mapping to Cos: 
CLI> show dot1l qos dscp-—qos-mapping 


To clear QoS WMM queues statistics: 


CLI> clear dot1l qos counters 


To display information about AP controller association process messages: 


CLI> debug ap-controller association 
CLI> no debug ap-controller association 


To display information about AP controller keepalive process messages: 


CLI> debug ap-controller keepalive 
CLI> no debug ap-controller keepalive 


To display information about AP controller profile process messages: 
CLI> debug ap-controller profile 
CLI> no debug ap-controller profile 


Active debugs are displayed by show debug and deactivated by no debug. 


To display the AP controller associations and to suppress AP controller associations: 
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CLI> show ap-controller association [detailed] 
CLI> clear ap-controller association [<AP-MAC-addr>] 





To display the AP controller keepalive statistics and to clear keepalive counters: 


CLI> show ap-controller keepalive statistics 
CLI> clear ap-controller keepalive counters 


To display AP controller provisionning mode: 


CLI> show ap-controller provisionning-—mode 


To display AP controller profile associate information: 


CLI> show ap-controller profile-assoc 


To display an AP controller virtual profile: 


CLI> show ap-controller virtual-profile <virtual-profile-name> 


To display AP controller default profile information: 


CLI> show ap-controller default-profile 


To show the associated-AP WLAN information through the APC: 


CLI> show ap-controller dot11 <parameter> [<AP-MAC-addr>] 


Refer to the show dot11 command for the parameter possible values. 
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4.3 


4.3.1 


WAN CONFIGURATION 


Features 


The ATM service enables the transport of voice and data. To initiate the service, protocol stacks are 
configured using CLI commands. These commands permit the configuration of the ATM physical interface 
and logical sub-interfaces that are associated with Permanent Virtual Connections (PVC). 


The PVC configuration requires parameters related to ATM technology (VPI, VCI, QoS, OAM, etc.) and 
parameters related to the type of transport protocol (classical IP or IP over PPP). 


The steps for configuration are: 
e Parameter settings (value control) 
e Checking parameter coherence and applying changes (command: execute). 


If the execute command is not entered, WAN parameters do not enter in effect. 


4.3.2 ATM Based Interfaces 


4.3.2.1 


ATM Interface Reference 


The ATM interface is referenced by the port number as explained in the previous section. 


The port number references the interface that gathers the physical interface (such as DSL) and several 
PVC supported by this interface. 


Enter the port number to configure the ATM interface (the interface is created if it does not exist): 


CLI> configure terminal 
CLI (configure)> interface atm <port number> 
CLI (config-if)> 





4.3.2.2. ATM Interface Provisioning 


The following commands set common PVC parameters, such as the chosen VP/VC identifiers. 


The parameters are assembled in a profile defined by “driver ident”. Enter the driver ident index 
(usually 0): 


CLI (config-if)> driver ident <index> 
CLI (drv) > 


Then specify the maximum number of PVC (VP/VC) that can be provisioned on the interface: 





CLI (drv)> max channels <value> 


<value>: This parameter indicates the maximum PVC number available under the interface. Default: 8. 
Then, enter the maximum VP number and the maximum VC number: 


CLI (drv)> max vp <value> 
CLI (drv)> max ve <value> 





The first command provides the maximum number of Virtual Paths (VP) allowed on this interface. The 
number varies between 1 and 8. Default: 1. 


The second command provides the maximum number of Virtual Circuits (VC) allowed. The number varies 
between 1 and 8. Default: 1. 


The range of value for VP and VC identifiers must be set using the following commands: 
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4.3.2.3 


CLI (drv)> range vp min <value> max <value> 


The above-referenced command specifies the minimal and maximal bounds of the VP Identifier (VPI) 
value allowed. This VPI can vary between 0 and 255. Default min: 0, Default max: 1. 


CLI (drv)> range ve min <value> max <value> 


The above-referenced command specifies the minimal and maximal bounds of the VC Identifier (VCl) 
value allowed in configuration. The VCI can vary between 32 and 2048. Default min: 32, Default max: 40. 


The Maximum Transmit Unit (MTU) size can be specified. The MTU designates the largest packet size that 
is supported by the interface. The MTU settings apply to data traffic using the interface. The command is: 


CLI (drv)> mtu <size> 


The size ranges between 32 and 9188 (size in bytes). Default: 4470. 
Example: 


interface atm 0 
driver ident 0 

max vp 1 

max vc 3 

range vc min 32 max 100 
range vp min 0 max 5 
max channels 3 

mtu size 1496 
execute 

exit 

exit 


Physical Interface Configuration 


4.3.2.3.1_ G.SHDSL for devices with ATM only 


The G.SHDSL interface corresponds to the most popular form of symmetrical DSL. It is based on the 
G.991.2 standard and offers better reach than the SDSL 2B1Q standard. 


To start the G.SHDSL configuration, the user must enter into the configuration mode using the command: 


CLI> configure terminal 


Then the user must enter into the interface configuration mode using the command: 


CLI (configure)> interface atm <interface number> 


The CLI enters into the G.SHDSL configuration mode (in config-if), when typing the next command: 


CLI (config-if)> gshdsl 


This command removes the interface G.SHDSL: 

CLI (config-if)> no gshdsl 
Some parameters must be chosen before starting the G.SHDSL interface. The related commands and 
parameters are: 


The annex command specifies the standard that will be used: A, for American standard and B, for 
European standard. 


CLI(gshdsl)> annex { A | B } 


The following command indicates the equipment type. Only the CPE type is offered. 
CLI (gshdsl)> equipment CPE 
The linerate command enables configuration of the interface bit rate in fixed or adaptive mode. The rate 


value is fixed between 192 and 2304 kbps by steps of 64 kbps (2-wire G.SHDSL) or between 384 and 
4608 kbps by steps of 128 kbps (4-wire G.SHDSL). 
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CLI(gshdsl)> linerate fixed <value> 


The linerate adaptive command sets the range of bit rates that the G.SHDSL chipset can use in 
adaptive mode. The device and DSLAM provide the highest line rate possible within the range defined 
here according to line features (length, attenuation) and tolerable Bit Error Ratio. Two parameters define 
the minimum rate and the maximum rate (in kbps). 


CLI (gshdsl)> linerate adaptative <valuel> <value2> 


To use the default Linerate setting (from 192 to 2304 kbps — 2-wires — and from 384 and 4608 kbps — 4- 
wires —): 


CLI (gshdsl)> default linerate 


A G.SHDSL interface can use two or four wires; doubling the number of wire doubles the interface speed. 
The ‘mode’ command forces a four-wire interface to either apply the two-wire mode or to specify the four- 
wire operation mode. Only the four-wire interface with byte interleaving is supported (bit interleaving is not 
supported). When using the interface in four-wire mode, three connection modes are possible: standard, 

nhanced or enhanced_sim. The enhanced mode synchronizes one copper pair then the other. The 
enhanced_sim and the standard mode start the synchronization of both pairs simultaneously. These 
two modes enable then a faster synchronization time. The standard mode is compliant with the ITU-T 
standard. Therefore, the standard mode is the default value. In case of connection problems, it is 
recommended to try all of them. 





CLI (gshdsl)> mode {2_wire | 4 wire_byte_interleave [enhanced | 
enhanced_sim | standard] } 


When the G.SHDSL interface has four wires, you can configure the autoconfig mode. In that mode, the 
router detects the DSLAM configuration and then sets the appropriate G.SHDSL parameters (unless some 
parameters are forced in the CLI configuration). The argument after ‘mode autoconfig’ is the 
connection mode used for the handshake. The handshake can be done in two or four-wire mode, then the 
CPE retrieves the line parameters from the DSLAM (line rate, number of wires, enhanced or standard, first 
pair to synchronize) and initializes the G.SHDSL line according to the retrieved parameters. If you 
previously forced a parameter like the number of wires (command: mode 2_wire) or line rate (command: 
linerate), the retrieved corresponding parameter from the DSLAM is ignored. 


CLI(gshdsl)> mode autoconfig {2-wire | 4-wire-enhanced | 4-wire-standard} 


A mode autoconfig synchro-GSPN command has been added for inter vendor compatibility. For 
detailed information about this command, contact OneAccess Support. 


To disable autoconfig: 


CLI (gshdsl)> no mode autoconfig 


The mode autosense has the same effect as ‘mode autoconfig’ but it is a deprecated command. 

CLI (gshdsl)> mode autosense 
The mode-dslam command is actually a workaround to allow a fast adaptive connection with DSLAM 
using a Metallink chipset (default setting: default). 

CLI (gshdsl)> mode-dslam {default | METALLINK} 
execute: This command closes the physical interface configuration putting into place the parameters that 
have been set. 


CLI (gshdsl)> execute 


Example: 


interface atm 0 
gshdsl 

execute 

exit 

exit 


Other commands: only for experts 
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The max-tx-ring command specifies the maximum size of the transmission buffer ring. The minimum 
configurable size is 4 and the maximum is 128. The default size is 128. 


CLI (gshdsl)> max-tx-ring <value> 


The action-sync-lock command is a workaround command and specifies the action to do in case of 
deadlock during synchronization: none, reboot or resync for beginning a new synchronization can be 
set as parameter. 


CLI (gshdsl)> action-sync-lock {none | reboot | resync} 


The sync-pair command forces the first pair that will be started at beginning of synchronization. No pair 
is forced while setting auto, first pair with normal and second pair with crossed. Default value is auto. 


CLI(gshdsl)> sync-pair {auto | normal | crossed} 


The synchro command specifies the activation of retrain on loss of framing (if framing is lost, by default, 
the SHDSL line should restart training). Retrain is enabled if setting synchro is set as check otherwise it 
is disabled. 


CLI(gshdsl)> synchro {check | default | no} 


By default, the number of CRC errors is monitored. By default, the lines are resynchronized if the SHDSL 
modem detects more than 3 CRC errors per second. Entering "crc check <n>" changes the number of 
acceptable consecutive CRC errors during one second. Its value varies from 1 to 30. "crc check" sets 
the default CRC error value. "crc no" disables the control of CRC errors (resynchronization is started due 
to other criteria such as loss of signal). 


CLI(gshdsl)> cre { check [<n>] | no } 


Example: 


interface atm 0 

driver ident 0 
range vp min 0 max 100 
range vc min 32 max 100 
execute 

exit 

gshdsl 
ere check 30 
execute 

exit 

exit 


To activate traces, use the following command: 
CLI> trace filter add sys hdsl all 


The SHDSL statistics are viewed as follows: 





CLI> show gshdsl 


The SHDSL statistics are interpreted as follows: 





CLI> show gshdsl Interpretation 





Admin.Status UP Oper.Status UP UP 


Line is configured by user: 

ifIndex = 0 

Mode is CPE (Annex B) 

Configured rate is ADAPTIVE from 384 K to 
4608 K 

Noise margin is 2 dB 

Snext noise margin is Disabled 

Autoconfig 4-wire-enhanced 

Frame sync not checked 


Items configured via CLI 








Page 4.3-130 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


eeeesecceeeesceceeeseeseeeeeeeseeeesesesssssesesssesesseseses Sore tee ee 
Phase: line UP ' Synchronization phase: IDLE, autoconf 
Operational Mode: 4-wire mode enhanced 1 (detecting the line parameters), 
Remote provider code: NPSG ( 4e 50 53 47 ) ' synchro (synchronization in 
Remote firmware version: 0x20 | progress), UP 
Remote configured rate is FIXED at 2048 K \ 
Yale lds ettaded becdeteediddauteeudecetisessecsese | DSLAM parameters 
First pair started is 0 ' Shows the ID of the first line being 
pair[0] [DATA ] [NO_STARTUP ] 'synchronized (when they must not be 
pair[1] [DATA ] [NO_STARTUP] | synced simultaneously). 
Pe TE Pe NP ee IE IE EE OREO RSS RESIS a a SES SEEREnnEncn er 
Retrain criteria: | Line Monitoring Statistics: 
(value ref enable) 'They are the criteria that can force 
pair[0] BQ 38.76 22.70 ON | the interface to restart 
CRC 0 i) ON , synchronization and training. By 
FSync 0 0 OFF 1default the SQ (Signal Quality) must 
pair[1] BO 38.19 22.70 ON ' be greater than the reference value. 
CRC Lt 3 ON 1;CRC must remain low and = framing 
FSync 1 0 OFF | Synchronization (Fsync) must be 
‘active. The CRC counter is the number 
Retrain counters: ,of CRC errors within a second. The 
(SQ CRC FSync) 1 ‘enable’ column indicate Lt the 
pair[0] 0 0 0 ' corresponding criterion (SQ, CRC, 
pair[1] 0 0 0 'Fsync) can force the interface to 
Line 0 0 0 retrain SHDSL. 
' The second part shows the number of 
| resynchronization caused by bad 
' signal quality (SQ), excessive CRC 
1errors or loss of framing sync. The 
i counters are shown for every pair and 
‘the whole line (combining both 
| pairs) 
a a EE OT OPT OPE ENN TY ST ETT NOE Se 
Mib status 0x00000001 ,noDefect 
Mib status 0x00000001 ,noDefect 
Data Rate: 1024000 bps 1024000 bps 
Data Rate Ratio: 266% !Line statistics 
Attenuation: 0,0 dB 0,1 dB 
NoiseMargin: 38,4 dB 38,2 dB 
TransmitPwr: 7,5 dB 7,5 dB 
ReceiverGain: 5,8 dB 5,7 dB 
chipset release: 0 0 
firmware release: [R3.0.5] : SHDSL firmware release 
Licata eee eee eeeeeeeteeeeeeeeeeeeeeeeeeceecoecoecesceeesed Gee See oak 
' ATM cell counters 
(power-on lastread) ,CRC errors 
CRC 0x00000000 0x00000000 Received ATM cells 
RxCells 0x0000001le 0x0000001le | Dropped received ATM cells 
RxDrops 0x00000000 0x00000000 | Received ATM cells with HEC error 
RxHec 0x00000000 0x00000000 Number of sent ATM cells 
TxCells 0x0000001e 0x0000001le 
[ VITU Standard Counters (see G991.2) 
(power-on lastread) ' 
ES 0x00000000 0x00000000 1ES: Number of Errored Seconds (second 
SES 0x00000000 0x00000000 with at least one error) 
LOSWS 0x00000000 0x00000000 1 SES: Severely Erred Seconds (number 
UAS 0x00000001 Ox00000001 1of seconds with high CRC rate) 
| LOSWS: number of seconds with loss of 
1 synchronization word 
| UAS: unavailable seconds (number of 
‘seconds with line outage) 
i \EOC Statistics 
EOC is enabled: expecting discovery 
EOC is enabled: expecting discovery ;Stable state is: “EOC is enabled: 
EOC statistics (power-on lastread) | running” 
(power-... ' 
commands 0x00000000 0x000000001 
0x00000... 
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a ee a eng gg eng gg eng gong egg eng eye eee 





responses 0x00000000 0x00000000) 
0x00000... | 
discarded commands 0x00000000 0x00000000 5 
000000... 
errored commands 0x00000000 0x00000000} 
0x00000... H 
received frames 0x00000000 0x00000000 ! 
0x00000... i 
bad transparency 0x00000000 0x00000000 } 
0x00000... ! 
bad FCS 0x00000000 0x00000000 }; 
0x00000... 








4.3.2.3.2 G.SHDSL.bis for devices with ATM and EFM 


The G.SHDSL.bis interface is based on the G.991.2 Annex G standard. 


For devices with both ATM and EFM, configuring G.SHDSL.bis requires three steps. The three steps are 
further explained in the sections below: 


1. Setting up a SHDSL controller 
2. Setting up a DSL-group 
3. Linking the DSL group to the ATM or EFM interface 


4.3.2.3.2.1 Setting up a SHDSL controller 
To start the G.SHDSL.bis configuration, the user must enter into the configuration mode using the 
command: 
CLI> configure terminal 
CLI (configure) > 
The controller command enters the configuration mode of SHDSL controller: 
CLI (configure)> controller shdsl 0 


CLI (conf-ctr1)> 


The controller shdsl 0 command identifies the SHDSL interface. 


4.3.2.3.2.2 Setting up a DSL-group 
After the SHDSL controller has been set up, the next step is to set up a DSL group within the SHDSL 
controller. 
The dsl-group command enters the configuration mode of the DSL group: 


CLI (conf-ctrl)> dsl-group <dsl_group_number> 


Currently, a single DSL group can be configured: <ds1_group_number> = 0. 
We proceed with DSL group 0: 


CLI (conf-ctrl)> dsl-group 0 
CLI (dsl-group) > 


Now, the DSL group can be configured. Refer to 4.3.2.3.2.4 Configuration command overview of the DSL 
group for a detailed explanation of the DSL group commands. 


4.3.2.3.2.3 | Applying the DSL group in the ATM or EFM interface 


For an ATM interface, proceed as follows: 


The interface atmcommand enters the configuration mode of an ATM interface, for example 0: 
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CLI (configure)> interface atm 0 


The dsl-group command assigns the configured DSL group to the ATM interface: 


For an EFM interface, proceed as follows: 


CLI (config-if)> dsl-group 0 


CLI (config-if) > 


The command interface efmenters the configuration mode of an EFM interface, for example 0: 


CLI (configure)> interface efm 0 


Note: As of V4.2 software release, only one EFM interface, the EFM interface 0, can be activated. 


The dsl-group command assigns the configured DSL group to the EFM interface: 


Also refer to 4.3.2.3.2.7 G.SHDSL.bis configuration example for a configuration example. 


4.3.2.3.2.4 


CLI (conf-if)> dsl-group 0 


CLI (conf-if)> 


Configuration command overview of the DSL group 


The following gives an overview of the configuration commands: 


4.3.2.3.2.5 


dsl-group 

| 

+---4-wire-mode 
+---annex 
+---autoconfig 
+---caplist 
+---cctargetmargin 
+---cre 
+---default 
+---efmaggregation 
+---equipment 
+---execute 
+---exit 
+---linerate 
+---lines 
+---meansq 
+---—pmmsmode 
+---tclayermode 


+---vendorspecoctets 


+---wctargetmargin 


DSL group configuration commands 


Use the following command to specify the SHDSL standard that will be used. 


annex has the following possible values: 


tc-pam has the following possible values: 


CLI(dsl-group)> annex { A-F 


B-G 


auto } [tc-pam { 16 


A-F: the North-American SHDSL standard will be used. 


B-G: the European SHDSL standard will be used (default value). 


32 


auto }] 


auto: this value is only possible for CPE devices; the annex is automatically set to the CO value. 


16: with tc-pam 16, the line rate ranges from 192 kbps to 3840 kbps. This will automatically be 
selected when caplist is set to oldstyle; refer to the command below. 
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e 32: withtc-pam 32, the line rate ranges from 768 kbps to 5696 kbps. 
e auto: when using this value, the modulation will be determined automatically. 


Note: For CPE devices, only auto is possible. 


Use the following command to set which type of capability lists can be exchanged, default: auto. 


During the SHDSL initial handshake phase, the two peers of the link exchange information on their 
capabilities. This includes whether or not they support G.SHDSL.bis. Some older DSLAM SHDSL cards 
refuse to proceed with the SHDSL handshake if they receive a capabilities list as defined in the newer 
G.SHDSL.bis standard. Therefore this command can be used to make the router interoperable with these 
older SHDSL implementations. 


CLI (dsl-group)> caplist { oldstyle | newstyle | auto } 


caplist has the following possible values: 
e oldstyle: the peer device only supports SHDSL (neither G‘SHDSL.bis nor EFM). 
e newstyle: the peer device supports SHDSL and G.SHDSL.bis ATM (not necessarily EFM). 


e auto: (default) the OneOS-based router decides itself. This value is only valid for CPE devices. For 
CO devices, this value is internally translated to newstyle. 


Use the following command to set the current condition startup margin, in function of which a line speed 
has to be selected during the ITU-T G.994.1 auto speed negotiation, default: disabled. 


This command takes into account the current condition the device is operating under, during which the 
connection has to remain up. The higher the cctargetmargin will be, the lower the selected line speed 
will be, but the more stable the line will be. 


If the cctargetmargin is disabled, the target margin is not considered during the ITU-T G.994.1 auto 
speed negotiation, i.e. all soeeds are available (the target margin is the amount of received signal power in 
excess of that required to achieve the DSL target bit error rate of 10’), 


CLI (dsl-group)> cctargetmargin { disabled | -10db .. +10db } 


The cctargetmargin range can be set between —10 dB and +10 dB, or can be disabled. 


For example, when setting cctargetmargin to 8 dB, there must be an 8 dB difference between signal 
and noise level under the current conditions, for the line to remain up. 


If both ccTargetMargin and wcTargetMargin are disabled, no line probing will be done. 


Use the following command to set the CRC error checking, default: crc check 10. 
CLI (dsl-group)> ere { no | check [<crc_time_check>] } 
crc_time_check is being any value in seconds between 1 and 30. It is expressed in consecutive errored 


seconds. This means, when crc_time_check is set to 10, that after 10 consecutive errored seconds, the 
device will retrain. 


In order to stop the CRC check, use the ‘no’ command: 


CLI (dsl-group)> cre no check 





Use the following command to set the equipment type, default: CPE. 
CLI (dsl-group)> equipment { CO | CPE } 

equipment has the following possible values: 

e co: Use this value to set up the device as a Central Office type of equipment. 


e cPE: Use this value to set up the device as a Customer Premises type of equipment. 
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Use the following command to set the data transfer rate. It enables configuration of the interface bit rate in 
fixed or adaptive mode, default: adaptive 192 5696. 


To use the fixed mode, proceed as follows: 


CLI (dsl-group)> linerate fixed <value> 


The rate value is fixed between 192 and 5696 kbps in steps of 64 kbps (per line pair G‘SHDSL.bis). 
To use the adaptive mode, proceed as follows: 
CLI (dsl-group)> linerate adaptative <valuel> <value2> 
The linerate adaptive command sets the range of bit rates that the G.SHDSL.bis chipset can use in 
adaptive mode. The device and DSLAM provide the highest line rate possible within the range defined 


here according to line features (length, attenuation) and tolerable Bit Error Ratio. valuel and value2 
define the minimum rate and the maximum rate (in kbps). 


To use the default linerate setting (from 192 to 5696 kbps per line pair), proceed as follows: 
CLI (dsl-group)> default linerate 


The linerate set with the two above commands, is the line rate for one pair. So, for instance, if 4 pairs 
are used, the total rate is 1inerate multiplied by 4. 


Use the following command to set the number of lines that will be used, default: 1-4. 


CLI(dsl-group)> lines <value> 


The possible values of value are 1|2|3|4|1-2| 1-3 | 1-4. 


When using EFM, it is mandatory to configure line 1 as a member of the DSL-GROUP even if the 
line is not connected. 


Use the following command to set the minimum signal quality thresholds the line signal has to comply with. 
When not complying with these conditions, the device will retrain, default: check 20 2dB. 


CLI (dsl-group)> meansq {no | check [<sq_time_check> [<sq_threshold>]]} 
sq_time_check is used to set the signal quality time period (expressed in seconds), during which the 
signal quality is measured. Its range can be set between 1 and 30 seconds. 


sq_threshold is used to set the minimum signal quality threshold. Its range can be set between —2 dB 
and 10 dB. 


If the sq_threshold value is exceeded during the sq_t ime_check, the device retrains. 


Use the following command to set the worst condition startup margin, in function of which a line speed has 
to be selected during the ITU-T G.994.1 auto speed negotiation. 


This command is similar to the cctargetmargin command (explained above), except that this command 
takes into account the worst possible condition that can occur on the line, during which the line still has to 
remain up. 


CLI (dsl-group)> wetargetmargin {disabled | -10db .. +10db} 


The wctargetmargin range can be set between —10 dB and +10 dB, or can be disabled. 


For example, when setting wctargetmargin to 5 dB, there must be a 5 dB difference between signal 
and noise level for the line to remain up. 


If both ccTargetMargin and wcTargetMargin are disabled, no line probing will be done. 


When autoconfig is enabled the router detects the DSLAM configuration when setting up a connection 
and then sets the appropriate parameters (unless some parameters are forced in the CLI configuration). It 
concerns the number of line pairs in use and possibly some more parameters depending on the DSLAM 
chipset. The autoconfig parameter is applicable only for ATM connections. It has no impact on EFM 
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connections. The argument after autoconfig is the connection mode used for the handshake. The 
handshake can be done in one or multi-pair mode. Then the CPE retrieves the connection parameters 
from the DSLAM and initializes the line pairs according to the retrieved parameters. 


CLI (dsl-group)> autoconfig { multi-pair | single-pair } 
Note 1: The autoconfig mode will always try to synchronize on the first pair when configured in 


single-pair. If this line pair is not answering (e.g. it is not connected), the synchronization on the other 
line pairs will never be started. 


Note 2: The autoconfig mode does not involve an automatic fallback mechanism to a smaller number of 
line pairs if one line pair disconnects for some reason. Unlike EFM or IMA it is inherent to the ATM 
encapsulation over SHDSL links that the complete link is broken if one line pair is no more operational. 


To disable autoconfig: 


CLI (dsl-group)> no autoconfig 








The 4-wire-mode, efmaggregation, pmmsmode, tclayermode and vendorspecoctets have been 
added for inter vendor compatibility. They are described below. 


The following parameter is only relevant for ATM operation in interoperability with Conexant (GlobeSpan) 
chipsets. Use the following command to set the operational mode of the lines, default: auto. 


CLI (dsl-group)> 4-wire-mode { standard | enhanced | auto } 


Note: when actually using less than 4 wires, this command can be ignored. 


Use standard to have the handshake status exchanged in ATM 4-wire mode according to the SHDSL 
standard (exchange on the master wire pair only). 


Use enhanced to have the handshake status exchanged in ATM 4-wire mode according to Conexant 
"enhanced" mode (exchange on all wire pairs). This was the only supported mode on Conexant chipsets 
with older software version (below 2.5 on Orion). Newer software versions support both standard and 
enhanced modes (configurable). 


Use auto to have ATM 4-wire mode decided automatically based on the readout of the peer's chipset and 
software version. If the chipset is Conexant with an older software version, the enhanced mode is used. 
Otherwise the standard mode is used. 


The following parameter is only applicable for EFM operation. 


CLI (dsl-group)> efmaggregation { disabled | static | negotiated | auto } 


Use disabled only for 1-pair operation; in this case the additional EFM aggregation layer is not present. 
This slightly optimizes the bandwidth use on a single pair. 


Use static to have the number of lines used for EFM aggregation being exactly the number of line pairs 
configured. There is no negotiation with the peer SHDSL on which line pairs to bond. Use this option if the 
DSLAM does not support EFM negotiation of line pairs (e.g. Hatteras). 


Use negotiated (default) to have, before the SHDSL handshake, the two SHDSL peers negotiate which 
line pairs will be used and bonded, based on configuration on both sides of the line pairs. 


Use auto only when configured as central (CO) device. The central device decides which pairs to take 
into account for the bonding based on the peer's reaction. It can distinguish between different remote 
devices e.g. if a line pair would be wrongly connected. 


The following command is important for compatibility between two devices of which one is equipped with a 
GlobeSpan chip set, more specifically with regards to the line probing process (PMMS stands for Power 
Measurement Modulation Session): when two such devices are interconnected, there is a compatibility 
issue with regard to the line probing timeout used by the chip sets. 
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Therefore, when the remote device is equipped with a GlobeSpan chip set, the pmmsmode must be set to 
GlobeSpan. 


Note that this applies to GlobeSpan software versions 2.5.x and 3.0.x. 


CLI (dsl-group)> pmmsmode { normal | globespan } 


pmmsmode has the following possible values: 
e normal: Use this value for normal operation. 


e globespan: Use this value when the remote device is equipped with a GlobeSpan chip set. 


The following parameter is relevant for EFM operation and indicates whether the DSLAM supports only 
G.SHDSL.bis capabilities or also EFM capabilities. 


CLI (dsl-group)> tclayermode { single | all } 


Use single (default) when the DSLAM supports the EFM capabilities. 


Use all if the DSLAM does not support the EFM capabilities, but still supports EFM. This may occur with 
DSLAMs that use an older SHDSL chipset version that supports EFM but not yet the EFM capabilities 
(pre-standard) (e.g. Hatteras). 


Note: This parameter is related to the caplist parameter, although it is different. caplist oldstyle 
means the DSLAM only supports the SHDSL standard. caplist newstyle means the DSLAM supports 
the G.SHDSL.bis standard. 


The following parameter is only relevant for ATM operation versus a DSLAM based on the Conexant 
Octane chipset with the software versions 5.4 or 5.6 (below version 5.7). When using the autoconfig 
command, the router reads the chipset and software version of the DSLAM and adapts itself the 
vendorspecoctets. The purpose of this parameter is only for unknown DSLAMs or chipsets/versions to 
make it interoperable without needing to change the firmware. 


CLI (dsl-group)> vendorspecoctets <octetl> <octet2> 


Use the default command to restore the default settings of the following commands: 


4-wire-mode 
annex 

caplist 
cctargetmargin 
cre 
efmaggregation 
equipment 
linerate 

lines 

meansq 
pmmsmode 
tclayermode 
vendorspecoctets 
wetargetmargin 


For example, the following command sets the CRC error checking back to the default value: 


CLI (dsl-group)> default cre 
CLI (dsl-group) > 





4.3.2.3.2.6 Statistics and Traces 


To activate traces, use the following command: 
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CLI> trace filter add sys hdsl all 


To show the SHDSL interface status, use the following command: 
CLI> show gshdsl 


Current Status: 








Line 0 
Admin.Status UP Oper.Status DOWN 
Global Up/Down Counter : 0 
Phase : synchronisation... 
First pair started is 2.20 





pair[0] [DOWN_READY] 


User Configuration for G.SHDSL Line: 














Equipment : CPE (Annex B-G) 
ode : 4-wire-byte-interleav 
Rate : ADAPTIVE / 384 K to 4608 K 
ifIndex : 0 
Noise margin : 5 dB 
Snext noise margin : Disabled 


Retrain criteria 


























PAIR 0: 
SO Enabled | Average value on 0s | retrain on 
| is 0.00 | Value under threshold 0.00 
CRC Enabled | nb errored sec 0 | retrain on 0 errored secs 
Remote configuration: 
Remote configurate mode : 4 wire is NOT supported 
Remote firmware version 00 


Operational Mode: 





Synchronisation in progress: 4 wires enhanced mod 





Timer statistics : (value limit occurred) 
pair[0] autoconf 0 30 0 

synchro 51 120 5014 
Data Rate Ratio : No Value 
Firmware ROM release : 01030802 
Firmware PMD release ¢ dedi. 5. 52-007 
Firmware IDC release : 1.4.16 
Cell Delineation : NA 

Pair 0 

Data Rate : No Value 
Attenuation : No Value 
NoiseMargin : No Value 
TransmitPwr : No Value 
Chipset release : OFO70101 


Mib status 0x00000000 
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Retrain counters UP/DOWN: 
































Nb retrains since power-on | Nb retrains since last read 
SQ | CRC | FSync | FSync&SQ | SQ | CRC | FSynce | FSync&SQ 
LINE 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 
DOWN | | | | | | 
PAIR 0 | 0 | 0 | 0 | 0 | O | 0 | 0 
0 | | | | | | | 
Defense counters: 
power-on lastread 
Cell Delineation ON 0 0 
HEC ON 0 0 
Utopia statistics : 
(power-on lastread) 
CRC NA NA 
RxCells NA NA 
RxDrops NA NA 
RxHec NA NA 
TxCells NA NA 
(power-on Jlastread) SOC 
ES 0 0 
SES 0 0 
LOSWS 0 0 
UAS 0 0 





Current Status: 




















Line 1 
Admin.Status DOWN Oper.Status DOWN 
Global Up/Down Counter : 0 
Phase : line is idle 
User Configuration for G.SHDSL Line: 

Equipment : CPE (Annex A-F) 
ode : 2 wire mode 
Rate : FIXED / OK 
ifIndex 250. 

oise margin 2.2 AaB 

Snext noise margin : Disabled 


Remote configuration: 





Operational Mode: 





Utopia statistics : 
(power-on lastread) 
CRC NA NA 
RxCells NA NA 
RxDrops NA NA 
RxHec NA NA 
TxCells NA NA 
(power-on Jlastread) SOC 
ES 0 0 
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SES 0 0 
LOSWS 0 0 
UAS 0 0 


Current Status: 


















































Line 2 
Admin.Status DOWN Oper.Status DOWN 
Global Up/Down Counter : 0 
Phase : line is idle 
User Configuration for G.SHDSL Line: 
Equipment : CPE (Annex A-F) 
ode : 2 wire mode 
Rate : FIXED / OK 
ifIndex : 0 
oise margin $2. aB 
Snext noise margin : Disabled 
Remote configuration: 
Operational Mode: 
Utopia statistics : 
(power-on lastread) 
CRC NA NA 
RxCells NA NA 
RxDrops NA NA 
RXHEC NA NA 
TxCells NA NA 
(power-on Jlastread) SOC 
E 0 0 
SES 0 0 
LOSWS 0 0 
UAS 0 0 
Current Status: 
Line 3 
Admin.Status DOWN Oper.Status DOWN 
Global Up/Down Counter : 0 
Phase : line is idle 
User Configuration for G.SHDSL Line: 
Equipment : CPE (Annex A-F) 
ode : 2 wire mode 
Rate : FIXED / OK 
ifIndex 0 
oise margin : 2 dB 
Snext noise margin : Disabled 


Remote configuration: 





Operational Mode: 
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Utopia statistics 7 
(power-on lastread) 
CRC NA NA 
RxCells NA NA 
RxDrops NA NA 
RxHec NA NA 
TxCells NA NA 
(power-on Jlastread) SOC 
E 0 0 
SES 0 0 
LOSWS 0 0 
UAS 0 0 


The DSL group statistics are viewed as follows: 


CLI> show dsl-group 0 


Current Status 





Admin status 3 UP 

Oper status VUP 

Global Up/Down Counter 21 

Up time duration : Od 3h 17m 22s 
User Speed : 5696kbps 

Used Lines o2 


User Configuration 











lines ee 

encapsulation : efm 

equipment : cpe (annex B-G TC-PAM auto) 
linerate : adaptive / 192 kbps to 5696 kbps 
caplist : newstyle 

ccTargetMargin : 2d0B 

weTargetMargin : disabled 

4-wire-mode : auto 

pmmsMode : globespan 

autoconfig : enabled (multi-pair) 

active link nr oo 3 

active user speed: 0 

efmAggregation : negotiated 

tcLayerMode : single 


vendorSpecOctets : 0000 
retrain criteria 
ere check : retrain on 10 consecutiv rrored sec 
meansq check : retrain when noiseMargin lower than 2dB during 10 seconds 





Operational Mode 














Link status : UP_DATA_MODE 
Data rate : 5696 kbps 
Negotiated Constellation: 32 TC-PAM 
Used Capability List : newstyle 
Region Information : annex B-G 
Line attenuation : 0.0 dB 
Noise margin : 19.0 dB 
Transmit power 2. “8585. 0B 
Power back-off : 6.0 dB 
Last Fail condition : NO_COND_ 
Last Fail reason : ERR_UNUSED_ 
Pmms Mode : globespan 
Vendor Spec Octets : 0000 

Pair Order : master 
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Spon 


t| User | 


Retrain criteria: 
toss SSS S5 SS SSS Tay See ere ee Se 4+----------------------------- + 
| SQ | CRC | 
+------------------------------- == $----------------------------- + 
Pair 2 | average value in 10s is 18.98 dB | 0 consecutive errored sec | 
+------------------------ === - = $----------------------------- + 
Retrain counters: 
tooo ee ne + 
| Nb retrains since power-on | Nb retrains since last read 
tooo oH 5-5 ee + 
| SQ | CRC: | HEC: | Cell-D| Spont| User | SQ CRC HEC Celi=B4 
tooo Heer + 
Total | O | 0 | O | 0 | 0 0 | 0 0 0 
$---- $5 5 ee + 
Pair 2 | 0 | 2% Or O | 0 0 | 0 0 0 
tooo ee + 
Line Statistics: 
$o--- 9-5 ee + 
| Nb since power-on | Nb since last read 
tooo nee + 
| LL | CV | ES | SES | LOSWS VAS | LL CV ES SES | 
t--------- 5-5-5 ee eee + 
Pair 2 0 0 | Oo | 0 | 12 3 0 0 0 
tooo HH ee + 
4.3.2.3.2.7. G.SHDSL.bis configuration example 


The following listing shows a G.SHDSL.bis configuration example of an One100D. 


It shows the use of the controller shdsl 0 and dsl-group commands, and the use of the DSL 
group in an ATM interface: 


configure terminal 
no reboot recovery-on-error 
logging buffered size 16364 
controller shdsl 0 
dsl-group 0 
caplist oldstyle 
4-wire-mode standard 
pmmsmode globespan 
execute 
exit 
exit 
telnet timeout 4294967295 
console timeout 4294967295 


set multiple-conf-sessions enable 


hostname vxTarget 
interface FastEthernet 1/0 


ip address 1.1.1.2 255.255.255.252 


exit 
interface atm 0 
driver ident 0 
execute 
exit 
dsl-group 0 
exit 
interface atm 0.1 
pve ipoa vpi 0 vci 32 


ip address 3.3.3.1 255.255.255.252 
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inarp client 
qos vbr pcr 4608000 scr 64000 mbs 65535 
execute 
exit 
exit 
ip route 2.2.2.0 255.255.255.252 3.3.3.2 
no snmp set-write-community private 
no snmp set-read-community public 
voice-default 


4.3.2.3.3. SDSL 2B1Q Configuration 


SDSL 2B1Q should not be mixed up with the SHDSL standard (G.991.2). 


To start the SDSL interface configuration, enter the following command from the global configuration 
terminal: 


CLI (configure)> interface atm 0 
CLI (config-if)> sdsl 
CLI (sdsl)> 


You can configure several parameters: 


To set the connection mode, use the following command. cpe is the default value. When using co, the 
interface is configured so that it emulates the DSLAM interface. It can be useful for point-to-point 
connections. 


CLI(sdsl)> equipment { cpe | co } 
To set the framing type, use the following command: 


CLI(sdsl)> framing { CLRCH | G991 | DLCC | GENERIC } 


e  CLRCH: ATM cells and no framing 
e 6991: G991.1 framing specification 


e pLcc: DLCC framing specification 














e GENERIC: no framing 


To set the connection mode, use the following command: 
CLI (sdsl)> connect-mode { BASIC | FMODE | COPPER | FAST } 


BASIC: basic operating mode of the chipset 


e FMODE: mode compatible with Flow Point Corporation 





e COPPER: mode compatible with Copper Mountain Networks Inc. 


e FAST: GlobeSpan-specific: each side can select different data rates and a successful startup will 
occur at the lower of the two rates. 


Then, you can select the line rate, where the interface speed can be negotiated between a minimum and 
maximum value or is fixed. The configuration syntax is: 


CLI(sdsl)> linerate { fixed <speed> | 
adaptive <min-speed> <max-speed> | 
single <min-speed> <max-speed> | 
fast <min-speed> <max-speed> } 


The allowed speed values are provided in kilobit per second and must be provided as: 144+N*64 kbps 
with N ranging from 0 to 34 (minimum: 144 kbps, maximum: 2320 kbps). 


Details about non-fixed modes: 
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e linerate adaptive: (auto baud) negotiation between min rate and max rate 


e linerate single: (single baud) startup is made at the lowest rate and using EOC, both sides 
negotiate a new rate 


e linerate fast:same as adaptive, except that fewer startups are used on activation 


Then, enter ‘execute’ to validate the parameters and then 'exit' two times. 
To activate traces, use the following command: 
CLI> trace filter add sys sdsl all 


To show the SDSL interface status, use the following command: 





CLI> show sdsl 
4.3.2.3.3.1 Configuration Example with Recommended Values for the Lucent Stinger DSLAM 


interface atm 0 
sdsl 

equipment cpe 
framing CLRCH 
connect-mode FMODE 
linerate fixed 2320 
execute 

exit 

exit 


4.3.2.3.4 E1/T1 ATM Configuration 


The E1 uplink interface of the ONE60/200 routers supports ATM cell transport. The implementation is fully 
compatible with the ATM forum specifications, where the E1 can be fully used at 1920 kbps (30 timeslots) 
or partially. ‘Partial E1' is referred to as Nx64 mode and means that a number of time slots can form a time 
slot bundle, which can be used for transport of ATM cells. However, the partial E1 does not support 
several time slot bundles (NxPx64). For details about the specifications, the user should refer to the ATM 
Forum specifications: 


e Full E1: AF-PHY-0064, available under: _ ftp://ftp.atmforum.com/pub/approved-specs/af-phy- 
0064.000.pdf 


e = =6©°Partial E1: AF-PHY-0130, available under: _ ftp://ftp.atmforum.com/pub/approved-specs/af-phy- 
0130.000.pdf 


e T1:AF-PHY-0016, available under: ftp://ftp.atmforum.com/pub/approved-specs/af-phy-0016.000.pdf 


The configuration commands are the following to create the E1/T1 ATM interface: 


CLI> configure terminal 
CLI (configure)> interface atm <atm-if> 
CLI (config-if)> { el | t1 } 





<atm-if> is an arbitrary identifier (number starting from 0) identifying a physical interface where ATM 
cells are supported. The E1 interface can be 'master' (the device provides its internal clock) or slave (clock 
received). 


CLI (config-if-el)> equipment { master | slave } 
Then the time slots of the bundle must be entered. Note that the time slots do not need to be contiguous. 
The configuration commands are: 


CLI (config-if-el)> ts <first-ts-1>[-<last-ts-1l1>] 
CLI (config-if-el)> ts <first-ts-2>[-<last-ts-2>] 





Note that the use of time slot #0 and #16 are forbidden by the ATM specification for E1. For T1, useable 
time slots range from 1 to 24. Example for Time Slots: 
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CLI (config-if-el)> ts 1-15 
CLI (config-if-el)> ts 17 
CLI (config-if-el)> ts 19-23 





To enable the scrambling on the E1 interface, use the following command: 


CLI (config-if-el)> serial-scramble 


The default value is 'no serial-scramble'; ‘serial-scramble’ is the recommended value. 
If you wish to activate the 'coset' Header Error Correction, use the following command: 


CLI (config-if-el)> serial—heccoset 


The default value is 'no serial-heccoset'. 
To conclude the Ei ATM interface configuration, use the following commands: 
CLI (config-if-el) > execute 
CLI (config-if-el)> exit 
CLI (config-if)> exit 
CLI (configure) > 


The created ATM interface can be used with conventional ATM commands, which are common to other 
ATM-based interfaces such as G.SHDSL and ADSL. 


4.3.2.3.4.1 Configuration Example 


This example creates an E1 ATM interface with full line speed. An ATM PVC is created at the maximum 
line rate and supports a simple PPPoA connection: 


configure terminal 
interface atm 0 


el 
ts 1-15 
ts 17-31 
equipment slave 
execute 

exit 

exit 


interface atm 0.1 

pvc pppoa vpi 0 vci 32 
ip address 10.10.10.1 
ipep static 
authentication no 
qos cbr pcr 1920000 
execute 

exit 

exit 

exit 


4.3.2.3.5 ADSL 


4.3.2.3.5.1 Configuration 


To start the ADSL configuration, the user must enter into the configuration mode using the command: 


CLI> configure terminal 


First of all, the ADSL physical interface (the modem) must be configured. 


The CLI enters into the physical ADSL configuration mode (config-if), when typing the next command 
(<interface number> must be set to 0): 


CLI (configure)> interface adsl <interface number> 


Then, specify the modem mode and country (optional). 
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The AUTO value is used to try to connect first using GDMT mode then using ANSI_T1413 (POTS) or 
ETSI_DTS/TM_06006 (ADSL over ISDN). 











CLI (config-if)> modem mode { AUTO | GDMT | GDMT_B | GDMT_B DT | 
ANSI_T1413 | ETSI_DTS/TM_06006 | GLITE } 


The value for country is an integer value described in ITU-T 1.35 recommendation (procedure for 
allocation of ITU-defined codes for non-standard facilities). For instance: France is 61, Germany is 6, UK is 
180, USA is 181, and Belgium is 15. 


CLI (config-if)> country <country-id> 
In same cases a different ADSL firmware has to be used. Refer to the Software Release Note to know 
which ADSL firmware releases are available. 

CLI (config-if)> firmware-alternate <0-1> 
The 13-power-mode command is specific to ONE20/100 routers. It is only for debug purpose; it should 
not be used in products installed in live networks. 13—power-mode enabled forces the modem to stay in 


level-3 power mode (the power-save mode will not therefore be used). The default is "13-power-mode 
disabled" (which means the modem can go to power mode level 0). 





CLI (config-if)> 13-power-mode { disabled | enabled } 


The execute command closes the physical interface configuration putting into place the parameters that 
have been set. 


CLI (config-if)> execute 


Example: 


interface adsl 0 
modem mode AUTO 
country 61 
execute 
exit 
The next command removes the ADSL physical interface: 


CLI (config-if)> no interface adsl 0 


The second step is to configure the ATM physical interface to use an ADSL logical channel. 


The adsl command configures the physical interface for the ATM interface in ADSL mode; first, enter the 
ATM interface configuration mode: 


CLI (configure)> interface atm <interface number> 


<interface number> must be set to 0 for ONE60/200. 
The CLI enters into the ADSL configuration mode (config-if), when typing the next command: 


CLI (config-if)> adsl 


This command removes the interface ADSL: 
CLI (config-if)> no adsl 
Some parameters must be chosen before starting the ADSL interface. The related commands and 
parameters are: 
CLI> channel type <type> 
This command specifies kind of ADSL channel we want to use with that ATM interface. The values could 


be default, fast or interleaved. However, the only available value today is default (fast or interleaved value 
are for future use). 


CLI> execute 
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The command closes the physical interface configuration putting into place the parameters that have been 


set. 


Example: 


4.3.2.3.5.2 


interface atm 0 

adsl 
channel type default 
execute 

exit 

exit 


Statistics 


The show ADSL CLI command display that screen. 


CLI> show ADSL 

Modem software version (0x3916): 3.9.22 
firmware version) 

Modem in Showtime 

modem state) 

Upstream Bitrate Fast: 0 kbps 

far-end fast channel bit rate) 
Downstream Bitrate Fast: 0 kbps 
near-end fast channel bit rate) 
Upstream Bitrate Interleaved: 160 kbps 
far-end interleaved channel bit rate) 








near-end interleaved channel bit rate) 
Upstream bit rate occupation: 23 

% of the maximum attainable (Bmax) ) 
Downstream bit rate occupation: 12 

S of the maximum attainable (Bmax) ) 
Downstream Noise Margin: (67) 33.5 dB 
amount of increased noise that can 
downstream BER of 10-7) 

<read value>) <decoded value> dB 
Upstream Noise Margin: (62) 31 dB 
amount of increased noise that can 
upstream BER of 10-7) 

<read value>) <decoded value> dB 
Downstream Transmit Power: (40) 20 dBm 
ATU-C transmit power level) 

<read value>) <decoded value> dBm 
Upstream Transmit Power: (24) 12 dBm 
ATU-R transmit power level) 

<read value>) <decoded value> dBm 
Downstream Attenuation: (82) 41 dB 





























transmit power level) 
<read value>) <decoded value> dB 
Upstream Attenuation: (58) 29 dB 








transmit power level) 
<read value>) <decoded value> dB 





Downstream Bitrate Interleaved: 608 kbps 


b 


b 





corrections in a data frame) 





corrections in a data frame) 





corrections in a data frame) 





umber of far-en 
corrections in a data frame) 


























tolerat 





tolerat 


whil maintaining a 





Near-end frame received with FEC (interleaved) : 
umber of near-end received superframes with one or more 


a 
Far-end frame received with FEC (interleaved): 0 
d received superframes with one or more 


Near-end frame received with FEC (non interleaved) : 
umber of near-end received superframes with one or more 


Far-end frame received with FEC (non interleaved) : 
umber of far-end received superframes with one or more 
a 


1 


0 


whil maintaining a 


Near-end frame received with CRC error (non interleaved): 0 
umber of near-end received superframes with an incorrect CRC) 


Reed-Sol 


Reed-Sol 


Reed-Sol 


Reed-Sol 


difference between the power received by the ATU-R and a reference ATU-C 


difference between the power received by the ATU-C and a reference ATU-R 


Lomon 


Lomon 


Lomon 





Lomon 
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Far-end frame received with CRC error (non interleaved): 0 
(Number of far-end received superframes with an incorrect CRC) 
Near-end frame received with CRC error (interleaved): 0 
(Number of near-end received superframes with an incorrect CRC) 
Far-end frame received with CRC error (interleaved): 2 
(Number of far-end received superframes with an incorrect CRC) 
Near-end frame received with HEC error (non interleaved): 0 
(Number of near-end received superframes with an HEC error) 
Far-end frame received with HEC error (non interleaved): 0 
( 
N 
( 
F 
( 
N 
( 




















umber of far-end received superframes with an HEC error) 

ear-end frame received with HEC error (interleaved): 0 

umber of near-end received superframes with an HEC error) 

ar-end frame received with HEC error (interleaved): 0 

umber of far-end received superframes with an HEC error) 
ear-end bitmap status: 00 

Current defects bitmap) 

<value> (<value decoded in non-zeroe>) 

Far-end bitmap status: 00 

(Current defects bitmap) 

<value> (<value decoded in non-zero >) 

Near-end bitmap change: 00 

(Defects bitmap, indicating changes) 

<value> (<value decoded in non-zero >) 

Far-end bitmap change: 00 

(Defects bitmap, indicating changes) 

<value> (<value decoded in non-zero >) 

Near-end bitmap 2.5 s: 00 

(Defects bitmap during 2.5S) 

<value> (<value decoded in non-zero >) 

Far-end bitmap 2.5 s: 00 

(Defects bitmap during 2.5S) 

<value> (<value decoded in non-zero >) 

Carrier Load: 

(Number of bits per symbol each tone carries (two tones per byte) ) 
000 - 00 00 00 00 22 23 33 44 44 44 44 44 43 32 22 00 00 00 00 00 
020 - 00 00 22 22 33 44 44 44 44 44 44 24 44 44 43 43 44 44 44 44 
040 - 44 44 44 44 22 22 23 33 33 33 33 23 22 22 00 00 00 00 00 00 
060 — 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 O00 OO O00 00 
080 -— 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 O00 OO O00 00 
100 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OO O00 00 
120 -— 00 00 00 00 00 00 00 O00 

Rx Counter Fast Channel: 0 

Rx Counter Interleaved Channel: 1069711 

Tx Counter Fast Channel: 0 

Tx Counter Interleaved Channel: 48079 

Operational Mode (INFO_0): 2 (ITU G.992.1-ANNEX-A) 

<value> (<decoded value>) 

Operational Mode (INFO_1): 0 (NA) 

<value> (<decoded value >) 

Near-end Version: 0x21 AVN 1 IVN 0x01 

<value> (<decoded value > 

Far-end Version: Oxff (NA) 

<value> (<NA meaning not applicable if OxFF>) 

Near-end Vendor: 0x0022 

<value> (<NA meaning not applicable if OxFF>) 

Far-end Vendor: Oxffff (NA) 

<value> (<NA meaning not applicable if OxFFFF>) 

UP-DOWN Counter: 0 

ShowTime duration: Od 0h 24m 27s 















































Example result for modem not connected: 


Modem software version (0x3916): 3.9.22 
Modem trying to connect 
UP-DOWN Counter: 1 


Values for modem state: 
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Modem is IDLE 
- Waiting for an open command. 


Modem is LISTENING 
- Listening state (only for Listen Round Robin (ATU-C)) not used 


Modem trying to connect 
- Open command received and waiting for response 


Modem is HANDSHAKE 
- G.hs of ITU-T ACTIVATING phase 


Modem connected 
- ACT/ACK phase passed (ANSI) or handshaking phase terminated (ITU) 


Modem in Showtime 
- ACTIVATING phase passed 


Modem in unknown state 


Values for Defects bitmap <decoded value>: 


Displayed using (<decoded value 1> | ... | <decoded value n>) 
<LOS>: Loss of signal 

<LOF>: Loss of Frame 

<LOP>: Loss of power 

<LCD_NI>: Loss of cell delineation (non interleaved) 

<LCD_I>: Loss of cell delineation (interleaved) 

<LOM>: Loss of margin 


Values for Operational Mode (INFO_0) <decoded value>: 


ANSI T1.413 
ITU G.992.1-ANNEX-A 
ITU G.992.2-ANNEX-A 


Values for Operational Mode (INFO_1) <decoded value>: 


ANSI ETSI DTS/TM—06006 
ITU G.992.1-ANNEX-B 
NA 


Values for Near | Far-end Version <decoded value>: 


NA 
AVN <ANSI version Number> IVN <ACTIVATING Version Number> 


4.3.2.3.6 Inverse Multiplexing For ATM (IMA) over E1/T1 
4.3.2.3.6.1 Principles of IMA 


IMA is a technique enabling to split and reassemble an ATM cell stream over multiple physical links. It was 
defined by the ATM Forum recommendation AF-PHY-0086.0001. For more details, please refer to: 





ftp://ftp.atmforum.com/pub/approved-specs/af-phy-0086.001.pdf 


This technique is highly efficient to increase incrementally the capacity of transmission links. The ONE400 
can be equipped with an IMA module supporting 4 or 8 E1/T1. Such module fills the bandwidth gap 
between a single, 2 Mbps E1 link and the E3 (34 Mbps) for a fraction of the E3 bandwidth cost. 


An IMA interface forms an IMA group. An IMA group is actually made up of several physical links. The role 
of IMA is to split the incoming cell traffic over the different physical interfaces. The IMA group must 
respectively reassemble the cell stream at the remote end. The IMA algorithm ensures the cell stream is 
reassembled in the proper order and compensates for possible inter-link delays. An embedded OAM 
ensures links can be dynamically added / removed in the group. 


The data transiting over the E1/T1 links are made up of: 


e ATM cells (the cells are sent over each link on a cell-by-cell basis) 
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e ICP (IMA Control Protocol) cells 
e Filler cells (when no ATM cell have to be sent) 


The IMA group manages the cell stream over the N links. Over each link, the IMA group controls the cell 
stream by using an IMA frame of length M. An IMA frame contains one ICP cell, some ATM cells and/or 
filler cells. The IMA frame is the unit of control of IMA. 


The ATM, filler and ICP cells are transported over E1/T1 in a similar manner as ATM over E1/T1. This 
means: 


e For E1: data are transmitted over 30 time slots (64 kbps, time slot 0 and 16 excluded). An ATM actual 
bit rate of 1920*N*(M-1)/M kbps is offered (we must remove the ICP cell). 


e For T1: data are transmitted over 24 time slots (64 kbps, time slot 0 excluded). An ATM actual bit rate 
of 1536*N*(M-1)/M kbps is offered (we must remove the ICP cell). 
4.3.2.3.6.2 | Configuration 


To provision the IMA interface, first enter in ATM interface configuration mode: 
CLI (configure)> interface atm <interface-number> 

CLI (config-if)> [no] ima 

CLI (config-ima) > 





<interface-number> is usually 0. 


The CLI has entered into the IMA configuration mode. You can set the IMA frame length M, when typing 
the following command: 


CLI (config-ima)> frame-length { 32 | 64 | 128 | 256 } 
The frame length must be the same at each end of the IMA link (default: 32 cells per frame). The following 


command sets the number of active links required to consider the interface as up and running (default: 1 
link): 


CLI (config-ima)> active-link-number <1..7> 
Inter-link differential delays are the difference between transit delays of each link. The IMA group must 
compensate such differential delays till a maximum configured as follows: 


CLI (config-ima)> max-delay <milliseconds> 


The default value is 20 ms and the range of allowed delays is: 


- <0 .. 220> for El 
= <0 a 2795S Bor Lt 





The following command sets the clock property for links of the IMA group: 
CLI (config-ima) > clock-mode {dependent | independent} 
If dependent is selected, it means that all links are synchronized on the same clock source; 


independent indicates that links may have different sources. Usually, all links are always synchronized 
on the same source; the default value is then dependent. 


Then you must configure each E1/T1 link. Note that E1 and T1 cannot be simultaneously supported. The 
following command makes the CLI enter in PRI interface configuration mode: 


CLI (config-ima)> [no] pri-link 2/<0..7> 
CLI (config-pri) > 


The PRI port number actually ranges from 0 to 3 or 0 to 7 depending on the number of links physically 
available on the IMA card you are using. 


The following command configures the AIS mode (ITU-T G.775 or ETSI 300 233): 


CLI (config-pri)> ais-mode { itu | etsi } 


Default: itu. 
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The following command sets the clock mode (synchronized on the network = slave): 


CLI (config-pri)> equipment { master | slave } 


Default: master. When two devices function back-to-back, one must be master, the other is slave. The 


following command sets the E1/T1 interface in short or long haul (enabling higher reach): 


CLI (config-pri)> haul { short | long } 


Default: short. Then, configure the interface in E1 or T1 mode: 





CLI (config-pri)> port-type { el | t1 } 


For E1, you can set the following interface parameters: 


CLI (config-el)> framing { nil | ddf | mff-crc4 | mff-crc4-ext } 
CLI (config-el)> line-code { ami | hdb3 } 


The framing attributes are: 


- nil - Transparent Mode 

- ddf - Double Frame Format 

-mf£-crc4 - CRC4 Multi Frame Format 

- mf£-crc4—ext - CRC4 Multi Frame Format Extended G.706B 


Default: nil and ami. 


For T1, you can set the following interface parameters: 


CLI(config-tl)> framing { nil| £4| £12| esf| esf-crc6| esf-crc6-jt| £72 } 


CLI (config-tl)> line-code { ami | b8zs } 


The framing attributes are: 


- nil - Transparent Mode (FALC acts as LIU only) 

- £4 - 4-Frame multiframe 

- £12 - 12-Frame multiframe (D4) 

- esf - Extended Super Frame without CRC6 

- esf-crc6 - Extender Super Frame with CRC6 

- esf-crc6- jt - Extended Super Frame with CRC6 JT G.706 for Japan 
- £72 - 72-Frame multiframe (SLC96) 


Default: nil and ami. 


Then enter 'exit' to finish the link configuration and configure the following links. Then, enter ‘execute’. 
4.3.2.3.6.3 Statistics 


IMA statistics are obtained using the following command: 


CLI> show ima 
4.3.2.3.6.4 Example 


The following example is an IMA interface with a single E1 link: 


interface atm 0 
ima 

pri-link 2/0 
port-type el 
exit 

execute 

exit 

exit 
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4.3.2.3.7 Inverse Multiplexing For ATM (IMA) over G.SHDSL 
4.3.2.3.7.1 Principles of IMA 


IMA is a technique enabling to split and reassemble an ATM cell stream over multiple physical links. It was 
defined by the ATM Forum recommendation AF-PHY-0086.0001. For more details, please refer to: 





ftp://ftp.atmforum.com/pub/approved-specs/af-phy—0086.001.pdf 


This technique is highly efficient to increase incrementally the capacity of transmission links. The 
ONE300/400 can be equipped with an IMA interface supporting four G.SHDSL links which allows a 
symmetric data rate up to 9139 Kbps. 


An IMA interface forms an IMA group. An IMA group is actually made up of several physical links. The role 
of IMA is to split the incoming cell traffic over the different physical interfaces. The IMA group must 
respectively reassemble the cell stream at the remote end. The IMA algorithm ensures the cell stream is 
reassembled in the proper order and compensates for possible inter-link delays. An embedded OAM 
ensures links can be dynamically added / removed in the group. 


The data transiting over the DSL links are made up of: 

e ATM cells (the cells are sent over each link on a cell-by-cell basis) 
e ICP (IMA Control Protocol) cells 

e Filler cells (when no ATM cell have to be sent) 


The IMA group manages the cell stream over the N links. Over each link, the IMA group controls the cell 
stream by using an IMA frame of length M. An IMA frame contains one ICP cell, some ATM cells and/or 
filler cells. The IMA frame is the unit of control of IMA. 


4.3.2.3.7.2 | Configuration 


To provision the IMA interface, first enter in ATM interface configuration mode: 
CLI (configure)> interface atm <interface-number> 

CLI (config-if)> [no] ima 

CLI (ima) > 





<interface-number> is 0. 


The CLI has entered into the IMA configuration mode. You can set the IMA frame length M, when typing 
the following command: 


CLI(ima)> frame-length { 32 | 64 | 128 | 256 } 
The frame length must be the same at each end of the IMA link (default: 32 cells per frame). The following 
command sets the number of active links required to consider the interface as up and running: 


CLI (ima)> active-link-number <1..4/8> 


Default: ‘1’. Maximum value depends on the hardware configuration (one300 <4>, one400 <4/8>) 


Inter-link differential delays are the difference between transit delays of each link. The IMA group must 
compensate such differential delays till a maximum configured as follows: 


CLI (ima)> max-delay <milliseconds> 


The default value is 20 ms: 
The following command sets the clock property for links of the IMA group: 
CLI(ima)> clock-mode {dependent | independent} 
If dependent is selected, it means that all links are synchronized on the same clock source. 


independent indicates that links may have different source. Usually, all links are always synchronized on 
the same source; the default value is then dependent. 


Then you have to set the common physical layer parameters (G.SHDSL). The following command makes 
the CLI enter in the common G.SHDSL configuration node: 


CLI(ima)> gshdsl 
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CLI (shdsl) > 


The following command configures the G.‘SHDSL annex type: 
CLI(shdsl)> annex { A | B } 


Default: ‘B’. ‘A’ is used in North America and ‘B’ in Europe. 
The following command indicates the equipment type. Only the CPE type is offered. 
CLI (shdsl)> equipment CPE 
The following command enables configuration of the interface bit rate in fixed mode or dynamic mode. The 


rate value is fixed between 192 and 2304 kbps by steps of 64 kbps or dynamic (get from remote DSLAM 
line rate). 


CLI(shdsl)> linerate {<value> | dynamic } 


Default is linerate dynamic. 
Then enter ‘exit’ to finish the common G.SHDSL parameters configuration. 


Last you must configure each G.SHDSL link. The following command makes the CLI enter in G.SHDSL 
link interface configuration mode: 


CLI(ima)> [no] gshdsl-link { <0..3> | <0..7> } 
CLI (shdsl-link) > 


Maximum value depends on the hardware configuration (one300 <0..3>, one400 <0..3/7>). 


The following command specifies the activation of retrain on loss of framing (if framing is lost, by default, 
the SHDSL line should restart training). Retrain is enabled if setting synchro is set as check otherwise it 
is disabled. 


CLI (shdsl-link)> synchro {check | no} 


Then enter 'exit' to finish the link configuration and configure the following links. Then, enter 'execute’. 
Other commands: only for experts 


The max-tx-ring command specifies the maximum size of the transmission buffer ring. The minimum 
configurable size is 4 and the maximum is 128. The default size is 128. 


CLI (ima)> max-tx-ring <value> 
4.3.2.3.7.3 Statistics 


IMA statistics are obtained using the following command (explanations about the meaning of counters is 
provided hereafter): 


CLI> show ima 























4--------------------------------------------- = = = 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 = + 
UP Time duration: Od Oh 8m 44s Current time: 0d lh 48m 28s 
Upstream: 4315472 b/s (10178 cell/s) Downstream: 4315472 b/s (10178 cell/s) 
$--------------------------------------------- = = 5-5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 + + 
Group 1 UP Ne State: Operational Fe State: Operational 
Up/Down counter: 4 4/4 links active to transmit 4/4 links active to receive 
4$------------------ === += === 5-5-5 5-55 5 5 55 5 5 5 5 55 5 5 5 5 5 5 5 5 55 5 5 55 55 5 5 55 5 55 == + 
Link 0 UP Tx Id : 0 Rx Id : 2 
* (RefClock TX) NeTxState Active NeRxState Active 
* (RefClock RX) FeRxState Active FeTxState Active 
$------------------ ---------------------------- +--+ == += - 5-5-5 5 5-5 5 5 5 5 5 5 5 5-5 + 
Link 1 UP Tx Id. 2:1 Rx Id: 1 
NeTxState Active NeRxState Active 
FeRxState Active FeTxState Active 
4------------------ ----------------------- == === += = 5-5-5 5-5-5 5 5 5 55 5 55-55 5 5 == == - + 
Link 2 UP THE 222 Rx Id + 0 
NeTxState Active NeRxState Active 
FeRxState Active FeTxState Active 
4------------------------ === +--+ 5 5-5-5 5 555 5 5 5 5 5 5 5 5 55 5 5 555 5 5 55-555 == - + 
Link 3 UP Tx Dae se .3 Rx Id: 3 
NeTxState Active NeRxState Active 
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FeRxState Active FeTxState Active | 


The first block gives the following IMA group connection information: 


Up time duration: Elapsed time since IMA group goes UP. 
Current time: Elapsed time since last reboot. 


Up/Downstream: IMA Rx/Tx data rate in bps and IMA data cell rate in cell/s. 


The second block gives the following IMA group status information: 


Group <grpID>: IMA group main state { UP | DOWN }. 


Ne/Fe State! Near-end/far-end IMA group state machine { Start-up | Start-up 
Ack | Config aborted | Blocked | Insufficient Links | Operational }. 


Up/Down counter: IMA group up/down counter since group creation. 


Rw/Tx link active: Quantity of links active to transmit or receive. 


The next blocks give the following IMA links status information: 


4.3.2.3.7.4 


Link <lnkID>: IMA link main state (G.SHDSL link state) { UP | DOWN }. 
Top star ‘*!': The physical clock source for the Transmit IMA group. 

Bottom star **’: The physical clock source for the Receive IMA group. 

RefClock Tx: The line ID of the link to be used as the transmit timing reference. 

RefClock Rx: The Line ID of the link being used as the receive IMA group timing reference. 
Tx/Rx Id: Rx ID (FE link ID) / Tx ID (NE link ID). 

e/FeTxState! Near-end / far-end IMA transmit link state machine { Not In Group | 
Unusable No Reason | Unusable Fault | Unusable Misconn | Unusable Blocked | 
Unusable Failed | Usable | Active }. 

e/FeRxState! Near-end / far-end IMA receive link state machine { Not In Group | 
Unusable No Reason | Unusable Fault | Unusable Misconn | Unusable Blocked | 
Unusable Failed | Usable | Active }. 





Example 


The following example is an IMA interface with 4 G.SHDSL link at 4 x 2048 Kbps: 


interface atm 0 
ima 
gshds1l 
linerate 2048 
exit 
gshdsl-link 0 
exit 
gshdsl-link 1 
exit 
gshdsl-link 2 
exit 
gshdsl-link 3 
exit 
execute 
exit 
exit 
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4.3.2.3.8 


STM-1 


The ONE400 can be equipped with an STM-1 interface with optical fiber interface, supporting only ATM. 


4.3.2.3.8.1 


Configuration 


To provision the STM-1 interface, first enter in ATM interface configuration mode: 


CLI (configure)> interface atm <interface number> 
CLI (config-if)> 


Note: <interface number> is usually 0. 


The CLI enters into the STM-1 configuration mode (config-if), when typing the following command: 


CLI (config-if)> stml 
CLI (stm1)> 


You can define the OAM behavior of the STM-1. You can enable or disable the emission of AIS (F3 OAM, 
not ATM), when the STM-1 interface is considered as down: 


CLI(stml)> [no] ais-shut 


In case of poor transmission quality, the Bit Error Ratio (BER) is excessive. Two thresholds are defined so 
that the OAM considers the interface as having a degraded signal or failing signal. For the threshold 
configuration measuring degraded signal, the command is the following: 


<3 


CLI(stml)> sd-ber <3..9> 


9> is the 10-exponent of the BER. For example, when the value is 8, it means the signal is 


considered as degraded when the BER has exceeded 10-8 (default value: 6) 


For failure threshold, the command is the following: 


CLI (stml1)> sf-ber <3..9> 


sf-ber has the same type of value as sd-ber. Default value: 3. 


If you wish to log alarms, use the report command as follows: 


CLI(stml)> [no] report { all | 
rsop-oof | 
rsop-lof | 
rsop-los | 
rlop-lrdi | 
rlop-lais | 
rpop-oof | 
rpop-pls | 
rpop-lop | 
rpop-ais | 
rpop-prdi | 
rpop-erdi | 
rxcp-led | 
rxcp-oocd | 
raop-oof | 
raop-lof | 
rase-sf | 
rase-sd } 


The alarm names should be interpreted based on the meaning of these acronyms: 


OOF: Out of Frame, error counting a misaligned frame 
LOF: Loss of Framing, a bit rate is received, but the interface cannot achieve frame delineation. 
LOS: Loss of Signal 


AIS: Alarm Indication Signal, signal indicating forward that a node along the STM-1/SDH path is 
defect. It may be preceded by the letter 'P' (Path), 'L' (Line), 'S' (Section); see SDH related 
information. 
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e RDI: acknowledgement of the AIS message. 
e RSOP: Receive Section Overhead Processor 
e RLOP: Receive Line Overhead Processor 


e _RPOP: Receive Path Overhead Processor 


e _RXCP: Receive ATM Cell Processor (ATM Cell delineation) 


e _RASE: Receive BER monitor 
e  OOCD: Out Of Cell Delineation 


Once done with these configuration parameters, you can terminate the STM-1 interface configuration using 


the following: 


Q 


LI(stm1l)> execute 
LI(stml)> exit 

LI (config-if)> exit 
LI (configure) > 





aaa 


4.3.2.3.8.2 Statistics 


Use the following command to display STM-1 statistics: 


CLI> show stml 


4.3.2.3.8.3 Configuration Example 


The following example provisions an STM-1 interface with a single ATM VC. 


interface atm 0 

stml 

no report all 

execute 

exit 

exit 

interface atm 0.4 

pve ipoa vpi 0 vci 34 
ip address 20.24.4.12 255.255.255.0 
ip remote 20.24.4.25 
inarp no 

qos cbr pcr 64000000 
priority 2 

execute 

exit 

exit 


4.3.2.4 ATM Generic Permanent Connections (Generic ATM-AAL5 PVC) 


Some PVC types only support a dedicated service (IPoA, PPPoA ...). ATM-AAL5 PVC’s are generic PVC 
meant for multiple applications (for example: VLAN over ATM or MLPPPoEOA). This chapter deals with 
PVC for generic applications (generic PVC). Refer to 4.3.2.5 for PVC for dedicated services (dedicated 


PVC). 


The generic PVC configuration takes place at the ATM sub-interface level and is well defined by the 
following parameters: ATM interface, ATM-AAL5 sub-interface upon which the PVC is linked, and VPI and 


VCI numbers of the PVC. 


4.3.2.4.1 PVC Templates 


A PVC template is intended to configure some common PVC characteristics. To start configuring the PVC 


template that contains the ATM related parameters, enter: 


CLI (configure) > virtual-template pve <1..255> 


CLI (config-virt-pvc) > 
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The ATM Quality of Service (QoS) on PVC is configured in this virtual template by defining the Class of 
Service (CoS) type and its associated rate parameters. 


The pcr rate parameter represents the peak cell rate in bit per second (bps). The pr rate parameter 
represents the peak rate (=PCR) in bit per second (bps). The arb rate parameter is the average bit rate of 
the stream in bit per second (bps). The scr rate parameter is the sustainable cell rate in bit per second 
(ops). The mbs rate parameter represents the maximum burst size in cells (number of cells). The mcr rate 
parameter is the minimum (guaranteed) cell rate in bit per second (bps). 


Note: If a PCR value is configured above the actual interface speed, this value is automatically reduced to 
the actual interface speed. 


To set the UBR CoS (for all PVC), use the following command in virtual template configuration mode: 


CLI (config-virt-pvc)> gos ubr per <32000..line-rate> 


To set the CBR CoS (for all PVC), use the following command in virtual template configuration mode: 
CLI (config-virt-pvc)> gos cbr per <32000..line-rate> 
To set the VBR-rt CoS (for all PVC) use the following command in virtual template configuration mode 
VBR-rt should be used for voice service. 
CLI (config-virt-—pvc)> qos vbr-rt pr <32000..line-rate> 
arb <32000..pr-value> 
To set the VBR-nrt CoS (for all PVC) use the following command in virtual template configuration mode: 
CLI (config-virt-pvc)> gos vbr per <32000..line-rate> 
ser <32000..pcr-value> mbs <burst-size> 
To set the UBR+ CoS (ONE400 specific) use the following command in virtual template configuration 
mode. 


CLI (config-virt-pvc)> qos ubrplus per <32000..line-rate> 
mer <32000..pcr-value> 


To reset the default CoS (UBR, 2 Mbps PCR) use the following command in virtual template configuration 
mode. 


CLI (config-virt-—pvc)> qos qos-default 


To apply a priority to the CoS, use the following command in virtual template configuration mode. 


CLI (config-virt-pvc)> priority <l..8> 


The priority command is optional and it is not recommended to use it in standard cases. You will find 
below a table summarizing ATM CoS for the OneOS-based range of products. The table explains the 
meaning of the priority command and its associated priority values. The priority is the order in which 
the internal ATM scheduler sends ATM cells. If two PVC's with the same CoS must be differentiated, then 
the priority is significant. 






































Class of Service | ONE400 device ONE60/200/300 devices ONE100 device 

Possible Priorities | Default] Possible Priorities | Default} Possible Priorities | Fixed 
CBR 1,2 2 1 1 N/A 1 
VBR-rt 3,4 4 1,2 1 N/A N/A 
VBR-nrt 5,6 5 3,4 3 N/A 2 
UBR+ 5,6 6 N/A N/A N/A N/A 
UBR 7,8 8 3,4 4 N/A 4 














The ATM OAM parameters are set under this template. Please refer to 4.3.2.6.2 for more details. Once all 
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parameters in virtual template are set, enter the exit command. 


4.3.2.4.2 Generic PVC Creation 


To enter in ATM sub-interface configuration mode, use the following command in configuration mode: 

CLI (configure)> interface atm-aal5 <port 0..4>.<sub-interface 1..255> 

CLI (config-if)> 
The port number is the one assigned to the ATM interface, while the ATM sub-interface number is an 
arbitrary value. 


To enter into generic PVC configuration mode, use the following command in ATM AAL5 sub-interface 
configuration mode (if the PVC does not exist, it is created): 


CLI (config-if)> pve vpi <vpi> vei <vci> [<vc-name>] 


CLI (aal5) > 


The VPI and VCI values define the PVC. The values are chosen from the range defined in the ATM driver 
interface configuration mode. <vc-name> is a string of characters identifying the PVC connection. The 
command may return an error if the couple (VPI-VCl) exists for another ATM sub-interface. 


4.3.2.4.3 Generic PVC Configuration 


The generic PVC needs to be configured using a PVC virtual template that gathers all the parameters and 
has to be defined before (see 4.3.2.4.1). To associate the virtual template parameters to the generic PVC 
being configured, use the following command in AAL5 PVC configuration mode: 


CLI (aal5)> profile-pve <virtual-template-id> 


Then, return to the configuration mode by entering: 


CLI (aal5)> exit 
CLI (config-if)> exit 
CLI (configure) > 





4.3.2.5 ATM Dedicated Permanent Connections (Dedicated PVC) 


The dedicated PVC configuration takes place at the ATM sub-interface level and is well defined by the 
following parameters: ATM interface, ATM sub-interface upon which the PVC is linked, VPI and VCI 
numbers of the PVC, and type of PVC. 


Other parameters are optional or mandatory, according to the type of PVC created. 
4.3.2.5.1_ Dedicated PVC Attachment 
To enter in ATM sub-interface configuration mode, use the following command in configuration mode (if 


the PVC does not exist, it is created): 

CLI (configure)> interface atm <port-number 0-4>.<sub-interface 1-255> 
The port number is the one assigned to the ATM interface, while the ATM sub-interface number is an 
arbitrary value. 


To enter into dedicated PVC configuration mode, use the following command in ATM sub-interface 
configuration mode: 


e Fora PVC used by IP: 


CLI (config-if)> pve {ipoa | pppoa | pppoeoa } vpi <vpi> vei <vci> [<vc-— 
name>] 


ipoa indicates that the PVC is used for IP traffic directly encapsulated in AAL-5 (no PPP); whereas pppoa 
indicates that the PVC supports PPP for IP traffic. To remove the ATM sub-interface configuration, use the 


Page 4.3-158 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


following command in configuration mode. 


CLI(configure)> no pve { ipoa | pppoa | pppoeoa } vpi <vpi> vei <vci> 


e Fora PVC used by voice over ATM (VoDSL) service: 
CLI (config-if)> pve voiceoa vpi <vpi> vei <vci> [<vc-name>] 
The VPI and VCI values define the PVC. The values are chosen from the range defined in the ATM driver 


interface configuration mode. <vc-name> is a string of characters identifying the PVC connection. The 
command may return an error if the couple (VPI-VCl) exists for another ATM sub-interface. 


4.3.2.5.2_ Dedicated PVC Configuration 


Note: in the following CLI (pvc) > is used for any dedicated PVC (ipoa, pppoa, pppoeoa and voiceoa). 


To set PVC encapsulation of IP packets within AAL5 frames, use the following command in PVC 
configuration mode: 


CLI (pvc)> encapsulation { llc | mux } 


Encapsulation is set to 11c (LLC/SNAP) by default. The reader should refer to RFC 2684 for details about 
IP encapsulation in AAL-5. 


The ATM Quality of Service (QoS) on PVC is configured in PVC configuration mode by defining the Class 
of Service (CoS) type and its associated rate parameters. Refer to 4.3.2.4.1 for more information about the 
QoS configuration commands. 


CLI(pvc)> gos { ubr per <pcr-in-bps> | 
cbr per <pcr-in-bps> | 
vbr-rt pr <pr-in-bps> arb <arb-in-bps> | 
vbr per <pcr-in-bps> ser <scr-in-bps> mbs <mbs-in-cells>| 
ubrplus per <pcr-in-bps> mer <mcr-in-bps> } 


4.3.2.5.2.1 IP over ATM Service 


IPOA service is well identified by a PVC and an IP address, defining the PVC as an IP interface. To enter 
in IPOA configuration mode, use the following command in ATM sub-interface configuration mode: 


CLI (config-if)> pve ipoa vpi <vpi> vei <vci> 


To set the IP address for an IPOA PVC, use the following command in IPOA configuration mode: 
CLI(ipoa)> ip address <ip address> <subnet mask> 

The Inverse Address Resolution Protocol (INARP) is used by default for resolution of the IP address of the 

remote endpoint of the PVC. If you want to provide the IP address of the remote end point of the PVC, the 


INARP must be disabled. The following command disables the ATM Inverse ARP and sets the remote IP 
address: 


CLI(ipoa)> inarp no 
CLI (ipoa)> ip remote <ip-address> 


To enable the Inverse ARP for ATM protocol on an IPOA PVC, use the following command in IPOA 
configuration mode: 


CLI (ipoa)> inarp client 
CLI (ipoa)> execute 


Configuration steps are as follows: 


CLI> configure terminal 

CLI (configure)> interface atm <indexl>.<index2> 

CLI (config-if)> pve ipoa vpi <numberl> vei <number2> 
CLI (config-if)> encapsulation {llc | mux} 
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CLI (ipoa)> qos <type> per <value> ser <value> mbs <value> 
CLI (ipoa)> execute 





The encapsulation default value is LLC. 
Example: 


interface atm 0.1 

pvc ipoa vpi 0 vci 32 

qos ubr pcr 2000000 

ip address 20.1.0.102 255.255.255.0 
execute 

exit 

exit 


By default, an IPoA interface is of type BROADCAST-MULTICAST. The fact that it is a BROADCAST 
interface means that the sub-network associated with the IP address/mask contains a network address 
(lowest address in IP subnet) and a broadcast address (highest address). The IP address of the PVC must 
be different from network and broadcast address. For example, if IP address is 10.10.10.1/30, the network 
address is 10.10.10.0 and broadcast address is 10.10.10.3. If you are using a /31 subnet mask, only two 
addresses are available (network and broadcast). To use those IP as interface IP, please enter the 
command ‘no ip directed broadcast’ that removes the BROADCAST behavior of the interface. 


Example: 

interface atm 0.1 

pve ipoa vpi 0 vci 32 

qos ubr pcr 2000000 

ip address 20.1.0.102 255.255.255.254 

execute 

exit 

no ip direct—broadcast 
exit 


4.3.2.5.2.2 | PPP over ATM Encapsulation 


4.3.2.5.2.2.1 Configuration 
To enter in PPPoA configuration mode, use the following command in ATM sub-interface configuration 
mode: 


CLI (config-if)> pve pppoa vpi <vpi> vei <vci> 


PPP provides a standard method of encapsulation across a Point-to-Point connection. Different 
parameters may be negotiated for this connection. 


4.3.2.5.2.2.2 IP Address 
The IP address must be set if the IPCP dynamic is not used. By default, IPCP dynamic is set and the IP 
address is set to 0.0.0.0. To enter the IP address, use the following command: 


CLI (pppoa)> ip address <ip_address> [<mask>] 


Instead of having an IP address, the local PPP interface can be unnumbered. The configuration is the 
following: 


CLI (pppoa)> ip unnumbered { loopback <lb-id> | 
ethernet <slot>/<port>[.<vlan-if>] | 
fastEthernet <slot>/<port>[.<vlan-if>] | 
atm <intf>.<port> | 
serial <slot>.<port> } 


4.3.2.5.2.2.3 Encapsulation Type 


This command specifies the encapsulation type used for this PVC. 


CLI (pppoa)> encapsulation { llc | mux } 
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4.3.2.5.2.2.4 IPCP Parameters 
If the command "no ipcp" is entered, this feature is disabled and the IP address must then be configured. 


If static mode is selected, the IPCP service functions in static mode. In this case the IP address must be 
configured and is checked by the remote equipment (the OneOS-based router and the remote equipment 
must have the same data configured -such as the IP address-). 


If dynamic mode is selected, the IP address for the interface is obtained via PPP/IPCP from the next hop 
router. 


CLI (pppoa)> ipep { static | dynamic } 


If dynamic mode is selected, the network mask can also be obtained via PPP/IPCP. 
CLI (pppoa)> ipep mask-request 
Note: If mask-request is used, the "ip unnumbered <interface>" command is mandatory for 
the IP address and the network mask apply to <interface> otherwise they will apply to PPP. 
If you want to retrieve the DNS server address per IPCP use the next command: 


CLI (pppoa)> ipep dns-accept 


4.3.2.5.2.2.5 | MRU Parameters 
The MRU is set using a command with the following format: 
CLI (pppoa)> mru local <size> { yes | no } { yes | no } 
CLI (pppoa)> mru remote <size> { yes | no } { yes | no } 
This command sets the Maximum Receive Unit (MRU) local/remote length and enables selection of 
negotiation mode. The MRU designates the maximum size of packets received in a PPP payload. 


If negotiation request is enabled (yes in first yes-no argument), the MRU length is negotiated with the 
remote PPP peer and is lower or equal to the size value. The negotiation accept (second yes-no 
argument) defines whether the MRU proposed by the remote peer should be accepted. If negotiation is not 
enabled (no in first or second yes-no argument), the maximum datagram length is equal to <size> value. 
At any rate, the length of MRU is lower or equal to 1582 bytes. 


4.3.2.5.2.2.6 Authentication Type 
Use this command to specify the authentication type. 
CLI (pppoa)> authentication { no | pap | chap | chap/pap } [ two-ways | 
one-way-callin | one-way-called ] 
In case of PAP authentication, the CPE must send a name and password that is checked against a 
matched entry in the local database of the remote router. 


In case of CHAP authentication, the CPE sends a “challenge” message to the remote device, which then 
encrypts the value with a shared key and returns it to the CPE. 


To disable this function: use the ‘authentication no’ command. By default, CHAP is enabled. 
The second argument defines the authentication types. They are: 
e two-ways: authentication is done by both sides 


e one-way-callin (default): authentication material is sent to the remote device, but the remote 
device is not locally authenticated 


e one-way-called: authentication material is not sent to the remote device (only username is sent), 
but the remote device must be authenticated. 


Note: for the current release, only bi-directional CHAP and CHAP server are supported. All other 
combinations are supported with the attribute one-way-callin. 


4.3.2.5.2.2.7 Username and Password 


This configuration command specifies the username and password (character string) used by the 
authentication protocol. 
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The username may content a predefined string of the form #mac<i># that will be replaced during 
authentication by the corresponding MAC address of the device. 








Example: #macl#@my.com will be replaced by 0012EF44E276@my.com where 00:12:EF:44:E2:76 is 
the MAC address #1 of the device as listed in the product information area. 




















The maximum permitted length of username is 64 characters; the maximum permitted length of password 
is 30 characters when entered in clear text and 128 characters when entered already encrypted. 


CLI (pppoa) > username <username> 
CLI (pppoa)> password <password> [<crypto-algorithm>] 


If <crypto-algorithm> is not provided, the password is entered and stored in clear text. 
If <crypto-algorithm> = 0 is provided, the password is entered in clear text and stored encrypted. 
If <crypto-algorithm> = 1 is provided, the password is entered and stored encrypted. 





4.3.2.5.2.2.8 Magic Number Negotiation 


“magic number” is used by the LCP protocol to detect looped-back lines and to check the continuity 
using “echo” frames. 


The magic number may be negotiable: the remote device can choose the number; otherwise (if non- 
negotiable) the CPE selects its own number. 


CLI (pppoa)> magic { negotiation | not-negotiable } 


4.3.2.5.2.2.9 Keep Alive Timer 


If the value of <timer-in-seconds> is different from zero, the keepalive mechanism is enabled. The 
keepalive mechanism sends periodical "echo" frames to prevent disconnection after a long period of 
PPP inactivity. After a ret ry number of unsuccessful "echo" frame sending the line is disconnected. The 
keepalive mechanism is enabled by default (keepalive 4 retry 20). 


CLI (pppoa)> keepalive <timer-in-seconds> [retry <1..100>] 


The no keepalive command disables the mechanism. 


4.3.2.5.2.2.10 Retry Timer 


This timer is used by the LCP protocol during the configuration and negotiation phase for connection and 
auto-reconnection. If a BAS is down and up again all routers will attempt to connect to the BAS 
simultaneously, thus flooding the BAS with connection requests. A random timer for session re- 
establishment can prevent several routers from reconnecting at the same time. The configuration must 
provide a minimum and a maximum range for retry timers. The value of the timer is then chosen randomly 
between the values min and max. 


CLI (pppoa)> retry-time min <seconds> max <seconds> 


Reconnection: 


CLI (pppoa)> [no] reconnection 


This command is used, after session shutdown, to enable session reconnection. 
Default value is: no reconnection 
Example: 


interface atm 0.1 

pvc pppoa vpi 0 vci 34 
encapsulation mux 
ipcep dynamic 
authentication pap 
username user2_0 
password oneaccess 
mru local 1500 no 
mru remote 1500 no 
magic number not-—negotiable 
qos ubr pcr 500000 
execute 

exit 
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exit 


4.3.2.5.2.2.11 Link Fragmentation and Interleaving (LFI) 


LFI enables to reduce significantly transit delays for priority packets. To understand the under-laying 
properties of the IP QoS, please refer to Transit Delay Control. When activating LFI, the priority packets 
are encapsulated in PPP and low priority packets are transported in MLPPP. If low priority packets are too 
large, they are fragmented. Priority packets are transmitted after the current frame being emitted by the 
interface. 


To enable interleaving, use the following command: 


CLI (pppoa)> multilink interleave 


Then you must set some MLPPP parameters: 


CLI (pppoa)> multilink discriminator <class> [<string>] 
CLI (pppoa)> multilink { fragment-size <bytes> | fragment-delay <ms> } 


CLI (pppoa)> multilink header { long | short } 





CLI (pppoa)> multilink max-revunit <bytes> 


The discriminator is used to identify to which bundle a link must be added. It must be usually configured (it 
depends on the remote end of the MLPPP connection). class is an integer ranging from 1 to 5 and 
string is a string of 20 characters maximum. If the class value is 3 (IEEE 802.1 Globally Assigned MAC 
Address) with string, OneOS uses the string as discriminator to open the MLPPP connection. If the class 
value is 3 (IEEE 802.1 Globally Assigned MAC Address) without string, then OneOS uses the MAC 
address of FastEthernet 0/0 to open the MLPPP connection. If the class parameter is other than 3, the 
string parameter is mandatory. 





The maximum fragment size is either determined by the ‘multilink fragment-size <bytes>’ 
command or, it is calculated from PVC line rate divided by the fragment-delay. If fragment-delay is 
configured, the fragment size is re-calculated whenever the DSL line is resynchronized. 


The max-rcevunit is the Maximum Remote Receive Unit (MRRU) and is by default 1500 bytes. 


4.3.2.5.2.2.12 PPPO0A session re-initialization 


The PPPoA session can be automatically re-initialized (disconnected then restarted) using the following 
command in PPPoA configuration mode: 





CLI (pppoa)> reinit <down-time> <mid-time> [<up-time>] [<day-of-the-week>] 


The session will be disconnected then restarted every day at a random time between down and mid times. 
Use the optional day—of-the-week parameter to have it disconnected then restarted once a week at the 
defined day (Monday to Sunday). 


Use the optional up-t ime parameter to have the session restarted at a random time between mid and up 
times (i.e. down for a randomly duration of time). 


To restore default settings and not use automatic re-initialization of the PPPoA session, use the no form of 
the above command: 


CLI (pppoa)> no reinit 


4.3.2.5.2.2.13 Statistics 


In case of PPPoA PVC, a statistics command is available. It permits the display of different information 
regarding the steps required for PPP connection. 


CLI> show statistics pvc pppoa 0 
PPPoA PVC Statistics of ATM interface 0 


PVC Pppoa Statistics: vcd = 1, vpi = 0, vei = 33, ven = 
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LCP Statistics: 

PPP  LCPs SIGP 

Local MRU: 1500, Remote MRU: 1500 

tx packets: 88, tx bytes: 168 

rx packets: 58, rx bytes: 596 

packets rx > max size: 0 

packets rx < min size: 0 

tx packets Config Req: 10, rx packets Config Req: 1 

tx packets Config Acq: 1, rx packets Config Acq: 1 

tx packets Config Nak: 0, rx packets Config Nak: 1 

tx packets Config Rej: 0, rx packets Config Rej: 0 

tx packets Termination Req: 2, rx packets Termination Req: 0 
tx packets Termination Acq: 0, rx packets Termination Acq: 0 
tx packets Code Rej: 0, rx packets Code Rej: 0 

tx packets Protocol Rej: 0, rx packets Protocol Rej: 0 

tx packets Echo Req: 72, rx packets Echo Req: 3 

tx packets Echo Rep: 3, rx packets Echo Rep: 52 

tx packets Discard Req: 0, rx packets Discard Req: 0 

tx packets Identification: 0, rx packets Identification: 0 
tx packets Time remaining: 0, rx packets Time remaining: 0 























NCP Statistics: 

PPP IPCP: STOP 

tx packets: 2, tx bytes: 36 

rx packets: 2, rx bytes: 36 

Time for last establishing PPP connection 42.00 seconds 
Time for last established PPP connection 73.00 seconds 
Time since last stopped PPP connection 2024.30 seconds 











4.3.2.5.2.3 PPP over Ethernet over ATM Encapsulation (PPPoEoA) 


PPPoEOdA is a WAN protocol, which enables the transport of PPPoE frames bridged in LLC/AAL5 PDU. 
PPPoEOoA is traditionally used over DSL uplinks. Indeed, there used to be DSL modems offering the 
customer an Ethernet interface to DSL access. The DSL modem functions as an Ethernet bridge. To allow 
authentication of devices sending traffic through the DSL modem, the PPPoE protocol, running on a PC, is 
required so that the BAS can grant an access to the IP network after PAP/CHAP authentication. 


As the ONE range of products can have an integrated DSL modem, the PPPoE protocol as well as the 
bridging function is managed by OneOS to allow compatibility with BAS not supporting this protocol. 


PPPoE is actually made up of three sub-components: 
e The PPP protocol, which has the same properties and configuration as the PPPoA protocol 


e The PPPoE protocol, defined in RFC 2516, which manages the connection between a client (a host) 
and a PPPoE service concentrator 


e The bridging: PPPoE frames are bridged in AAL-5 PDU using the LLC-SNAP encapsulation 


A BAS is referenced as PPPoE service concentrator in the PPPoE terminology. 


4.3.2.5.2.3.1 Configuration 


To enter in PPPoEoA configuration mode, use the following command in ATM sub-interface configuration 
mode: 


CLI (config-if)> pve pppoeoa vpi <vpi> vei <vci> 
CLI (pppoeoa) > 





The user must then enter PPPoE specific parameters. The first parameter is the source MAC address, 
which is used by the device to generate the PPPoE frames: 





CLI (pppoeoa) > ethernet address <AA:BB:CC:DD:EE:FF> 











Default: MAC address of the LAN port. 


PPPoE frames are normally emitted on a LAN as broadcast frames during PPPoE initiation. Several 
PPPoE service concentrators may be found on the LAN. Therefore, names must identify the clients and 
servers. The following commands identify the ONE device (service name) and the concentrator name: 
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CLI (pppoeoa) > service name <string> 
CLI (pppoeoa) > concentrator name <string> 


The PPP parameters can then be entered and are identical to those of PPPoA (see 4.3.2.5.2.2). Once 
done with the PPP parameters, do not forget to enter the 'execute' command before leaving the pppoeoa 
interface configuration mode. 


4.3.2.5.2.3.2 Example 
The following configuration provides an example for PPPoEOoA configuration: 


interface virtual-template 2 
ip nat inside overload 
exit 


interface atm 0.3 
! PPPoE allows 1492 byte long IP payloads 
! The following commands clamp TCP MSS fields with a shorter MSS 
! than the Ethernet should allow. 
ip tcp adjust-mss 1452 
Pvc pppoeoa vpi 0 vci 40 
ipep static 

ip address 20.12.3.4 
mru local 1492 yes 
mru remote 1492 no 
authentication chap 
username ONEACCESS 
password *****x*x 
concentrator name concentrator 
keepalive 5 

retry-time min 3 max 5 
source 2 


exe 


cute 


exit 
exit 


4.3.2.5.2.3.3 Statistics 
To display PPPoEOA statistics, use the following command: 


CLI (configure)> show statistics pvc pppoeoa <atm-if> 





oEoA PVC Statistics of ATM interface 0 











vcd 


PPP 

PVC Pppoeoa Statistics: 

LCP Statistics: 

PPP LCP? OPEN 

Local MRU: 1492, Remote MRU: 
tx packets: 4, tx bytes: 32 
rx packets: 4, rx bytes: 56 


packets rx > max size: 
packets rx < min size: 


tx 
tx 
tx 
tx 
tx 
tx 
tx 
tx 
cx 
tx 
ctx 
tx 
tx 





packe 
packe 
packe 
packe 
packe 
packe 
packe 
packe 
packe 
packe 
packe 
packe 
packe 


CS 
CS 
CS 
CS 
CS 
CS 
CS 
CS 
CS 
CS 
CS 
CS 
CS 





Config Req: 
Config Acq: 
Config Nak: 
Config Rej: 
Termination 
Termination 
Code Re}: 0, 





; Ux 
7 Ex 
, <x 
, ©X 
Req: 

Acq: 

rx Pp 


OnO: FD OO 


Protocol Rej: 0, 


Echo Req: 0, 
Echo Rep: 1, 
Discard Req: 





rx Pp 
rx Pp 
O,--r 


Identification: 0 
Time remaining: 0 


NCP Statistics: 
PPP IPCP: 
local address is 20.12.3.4 remote Addr is 20.12.3.3 
tx packets: 3, tx bytes: 72 


OPEN 





= 3, vpi = 0, vci = 40, 


1492 


packets Config Req: 1 
packets Config Acq: 1 
packets Config Nak: 1 
packets Config Rej: 0 
0, rx packets 17 
0, rx packets 
ackets Code Rej: 0 





rx packets Protocol Rej: 


ackets Echo Req: 1 
ackets Echo Rep: 0 
x packets Discard Req: 





, vx packets Identification: 
, vx packets Time remaining: 


0 


0 


Termination Req: 
[Termination Acq: 


0 
0 


0 
0 
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rx packets: 3, rx bytes: 48 

packets rx > max size: 0 

packets rx < min size: 0 

Time for establishing PPP connection 2.18 seconds 
Time since established PPP connection 11.62 seconds 





DISCOVERY Statistics: 
DISCOVERY State: ESTABLISH SESSION 
local address is 1a:2b:3c:4d:5e:70 remote Addr is 00:02:b59:38:19:90 














OEOA Statistics: 
total tx packets: 7, tx bytes: 144 
total rx packets: 13, rx bytes: 1808 








To display PPPoEoA interface configuration details as well as its default value, use the ‘show 
configuration’ command: 


CLI (configure)> show configuration pvc pppoeoa <atm-if> 


List of configured PPPoEoA PVC 











Configuration of PVC pppoeoa: sub-int = 3, vpi = 0, vei = 40, ven = 








ATM interface index: 0 
sub-interface: 3 

vpi number: 0 

vei number: 40 





ven: 
pve Encapsulation: aal5/llc 
QOS: UBR 


Peak Cell Rate: 2000000.00 
Priority: 4 

IP address for this int: 20.12.3.4 
Ipcp: Static negociation 

Local MRU: 1400 

Local MRU negociation: Yes 
Remote MRU: 1400 

Remote MRU negociation: No 
Authentication: PAP 

User name: ONEACCESS 

password: Yoohoo 

Use magic number: No 

pvc keep alive: 5 

pve retry timer: min = 3 max = 5 
IAC address: la:2b:3c:4d:5e:70 
Concentrator name: weather 
Service name: meteo 

pve reconnection: no 























OAM Pvc level: 
ais_rdi_enable: 0 
lb_ete_enable: 
lb_seg_enable: 
cc_seg_enable: 
cc_ete_enable: 
lb_retries_down_to_up: 3 
lb_retries_up_to_down: 5 
lb_retry_frequency: 1 
counter_aisrdi_up_to_down: 3 
timer_aisrdi_down_to_up: 3 
number_retries: 0 

manage: 1 

intrusive: 1 
lb_normal_frequency: 10 


0 
0 
0 
0 








To debug connection issues with PPPoE, use the 'event' facility: 
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CLI> event filter add wan pppoeoa all show 
4.3.2.5.3 Multi-Link PPP (MLPPP) over ATM and MLPPPoEoA 
4.3.2.5.3.1 Configuration 


MLPPP over ATM is only supported on the ONE80/180/300 routers in V3.7R15. It makes it possible to 
inverse-multiplex an IP stream over multiple SHDSL lines. If the inverse multiplex function of MLPPP is not 
required, but only the interleaving (LFI) function of MLPPP, please refer to 4.3.2.5.2.2.11. 


MLPPP is configured as follows: 
e Virtual ATM template: template of ATM parameter configuration (ATM shaping, OAM, ...) 


e PVC configuration: the VPI/VCI is configured and attached to a virtual ATM template. It is also 
attached to a MLPPP dialer interface 


e AMLPPP dialer-interface: this is the logical IP interface running the MLPPP protocol. The IP services 
are attached to this interface (access list, QoS ...). The dialer interface is attached to a PPP virtual 
template containing the PPP/MLPPP specific protocol parameters. 


The PPP parameters must be set for authentication and PPP parameters. All PPP parameters are entered 
within a PPP virtual template. This PPP virtual template must be set to automatic reconnection. Please 
refer to 4.3.5 for more details. Example: 


virtual-template ppp 1 

ipcp dynamic 

authentication chap 

ipcp dns-accept 

username apassword@provider.com 
password ****x** 

reconnection auto 

execute 

exit 


The MLPPP dialer interface is attached to a pool number. The pool number is an identifier shared by the 
physical interface and the dialer interface. To configure an MLPPP dialer interface, attach a PPP virtual 
template and a pool number (when these two objects are attached, and only after, IP configuration can be 
set): 


LI 
LI 
LI 
LI 


> [no] interface dialer-mlppp <0-65535> 
> pool-number <1-255> 

> profile <0-10> 

> exit 


configure 
config-if 
econLrg=1t 
config-if 





Cl 
Cl 
Cl 
Cl 


By default, the protocol is MLPPPoA; extra configuration parameters are required for MLPPPoEOoA: 
e Mode: PPPoE client (host) or server (concentrator). A CPE router is usually in host mode 


e Service name: the service name is a string transmitted during PPPoE establishment; this string is 
usually not checked by the network. The default service name is ‘any service’. 


e Concentrator name (default: empty) 
For an MLPPPoEOoOA client, the configuration commands are: 


CLI (configure)> interface dialer-mlppp <0-65535> 

CLI (config-if)> protocol pppoeoa 

CLI (config-proto)> {service name <name> | no service name } 
CLI (config-proto)> exit 

CLI (config-if)> exit 


For an MLPPPoEOA server: 


CLI (configure)> interface dialer-mlppp <0-65535> 

CLI (config-if)> protocol pppoeoa 

CLI (config-—proto) > mode concentrator 

CLI (config-proto)> {concentrator name <name> | no concentrator name } 
CLI (config-proto)> {service name <name> | no service name } 

CLI (config-proto)> exit 


Page 4.3-167 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


CLI (config-if)> exit 


Then, attach the dialer interface to ATM PVC and re-use the same pool-number: 


Cl > interface atm-aal5 <0-3>.<1-255> 


> mlppp dial-pool <1-255> 


LI (configure) 
CLI (config-if) 
CLI (config-if)> pve vpi <0-255> vei <0-2048> 

CLI (config-pvc)> profile-pve <virtual-template-id> 
CLI (config-pvc)> exit 

CLI (config-if)> exit 





For more information on ATM-AAL5 PVC, please refer to 4.3.2.4 section. 
4.3.2.5.3.2 Example 


MLPPPOoA: 


interface atm 0 
gshdsl 0 
execute 
exit 
exit 
interface atm 1 
gshdsl 1 
execute 
exit 
exit 
interface atm 2 
gshdsl 2 
execute 
exit 
exit 
interface atm 3 
gshdsl 3 
execute 
exit 
exit 
virtual-template pvc 1 
qos cbr pcr 2304000 
exit 
virtual-template ppp 1 
ipcp dynamic 
authentication chap 
ipcp dns-accept 
username apassword@provider.com 
password ****** 
reconnection automatic 
execute 
exit 
interface dialer-mlppp 0 
pool-number 0 
profile ppp 1 
ip nat inside overload 
service-policy output shaping 
exit 
interface atm-aal5 0.1 
mlppp dial-pool 0 
pvc vpi 1 vci 32 
profile-pvc 1 
exit 
exit 
interface atm-aal5 1.1 
mlppp dial-pool 0 
pve vpi 1 vci 32 
profile-pvc 1 
exit 
exit 
interface atm-aal5 2.1 
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mlppp dial-pool 0 
pvc vpi 1 vci 32 
profile-pvc 1 

exit 

exit 

interface atm-aal5 3.1 
mlppp dial-pool 0 

pvc vpi 1 vci 32 

profile-pvc 1 
exit 
exit 


MLPPPoEoA: 


interface atm 0 
gshdsl 0 
execute 
exit 
exit 
interface atm 1 
gshdsl 1 
execute 
exit 
exit 
interface atm 2 
gshdsl 2 
execute 
exit 
exit 
interface atm 3 
gshdsl 3 
execute 
exit 
exit 
virtual-template pvc 1 
qos cbr per 2304000 
exit 
virtual-template ppp 1 
ipcp dynamic 
authentication chap 
ipcp dns-accept 
username apassword@provider.com 
password ***xx* 
reconnection automatic 
execute 
exit 
interface dialer-mlppp 0 
pool-number 0 
profile ppp 1 
protocol pppoeoa 
exit 
ip nat inside overload 
service-policy output shaping 
exit 
interface atm-aal5 0.1 
mlppp dial-pool 0 
pve vpi 1 vci 32 
profile-pvc 1 
exit 
exit 
interface atm-aal5 1.1 
mlppp dial-pool 0 
pve vpi 1 vci 32 
profile-pvc 1 
exit 
exit 
interface atm-aal5 2.1 
mlppp dial-pool 0 
pve vpi 1 vci 32 
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profile-pvc 1 
exit 
exit 
interface atm-aal5 3.1 
mlppp dial-pool 0 
pve vpi 1 vci 32 
profile-pvc 1 
exit 
exit 


4.3.2.5.3.3 Debug and Statistics 


To display the MLPPP configuration information: 


CLI> show configuration interface dialer-mlppp <id> 


To display the MLPPP dialer statistics: 


CLI> show statistics dialer-mlppp <id> 


To debug the MLPPP protocol, use the next command: 

CLI> [no] debug dialer-mlppp 
Use the following command to display statistics regarding the ATM PVC under the sub-interface specified 
by its number. 


CLI> show interfaces dialer-mlppp <interface-id> 


4.3.2.6 ATM Management Flows 

This section describes the main features of the ATM management flow. 
4.3.2.6.1 Features 
4.3.2.6.1.1 Definitions 


The following terms are used throughout this section: 


4.3.2.6.1.1.1 OAM 
This acronym defines operations and maintenance on broadband networks. This document is specifically 
related to OAM on ATM networks. 

4.3.2.6.1.1.2_ OAM Flow 


In ATM layers, OAM flow stands for the specific ATM cells used for operations and maintenance and that 
transit between the ATM nodes of an ATM connection. Depending on the cell content, OAM cells are 
applied to Virtual Paths, or Virtual Channels. 


4.3.2.6.1.1.3 Description of OAM Information Flow 


The OneOS-based router can simultaneously monitor a sub-part or an entire VC connection, thus 
facilitating interoperability through different operators if needed. The device manages OAM segment and 
OAM end-to-end cells. 





VC End Point VP Switch VC End Point 


ATM Segment 


$A 
‘ ATM End to End Connection 3 


OAM flow 
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4.3.2.6.1.1.4 OAM Cell Structure 


The OneOS-based router manages all OAM fault management cells (type set to 0010) and is ITU-T 1.610 
compliant. The Field of OAM cell structure is coded for the specific cell: AIS, RDI, CC and LB. 


i: ATM Cell 


4 bitsy, gi bits_» g 45 byte 
Field | Specific Field 






















OAM F5 Cells 


F5 segment: 1X0 
F5 x F5 F5 end-to-end: 1X1 
X: 0 or 1 





The PTI field indicates the type of OAM cell associated with the VP Identifier/VC Identifier. The cell 
payload depends on the OAM cell type. 


4.3.2.6.1.2 | Handling of ATM OAM 


4.3.2.6.1.2.1_ ATM OAM Prioritization 


OAM cells are not processed in the same queue as data. The OAM cells are sent directly without delay 
over the PVC. As far as the OAM cell shaping and prioritization technique is concerned, the following 
objectives are fulfilled: 


e OAM cells + data traffic must be conform to ATM shaping (i.e. should not exceed PCR, while OAM 
cells are sent during high traffic load) 


e OAM cells have got the highest priority. 


4.3.2.6.1.2.2_ Continuity Check (CC) 


In the absence of user flow, CC is a type of cell that can be generated each second by the OneOS-based 
router on a VC. Because of the periodic reception of cells, the remote ATM end point is ensured that the 
VC is in operation on the downstream. If the OneOS-based router is configured to receive CC cells, the 
non-reception of cells for more than 3.5 seconds is interpreted as a VC fault (Loss of Cells, LOC), thus 
triggering an alarm on the OneOS-based router for the VC. Then, the first received cell triggers a new 
alarm clearing the VC fault. 


The OneOS-based router can be configured to emit and receive either segment CC or end-to-end CC on 
each VC. 


4.3.2.6.1.2.3 Loopback (LB) 


LB is a type of cell used either periodically or occasionally for testing an ATM segment or a whole ATM 
connection. The cell is generated with a tag identifier that is kept in memory by the OneOS-based router. 
The cell is sent and looped at either the next segment or the remote end point of the VC. The reception of 
a loopback cell with the same tag identifier results in a successful test. Failing loopback tests result from 
non-reception of loopback cells or reception of cells after the configured timeout. 


The OneOS-based router periodically generates LB cells. If LB tests have been successful and are then 
followed by a failed LB test, the LB sending frequency is changed to generate a retry at a new frequency. 
A new sample of loopback tests is then carried out at the new frequency. If all the tests fail, the OneOS- 
based router sets an alarm for the affected VC and the LB sending frequency is changed to normal 
frequency. As soon as one LB test is successful, a new set of LB tests is carried out. If the series is 
successful, then an alarm is cleared by the OneOS-based router for this VC. 


The OneOS-based router occasionally generates LB cells by means of the ping command. Provided that 
LB cells are not configured on the VC, a configurable set of loopback cells is sent. The command will 
provide an estimated rate of successful tests, as well as the average round trip delay of loopback tests. 


The OneOS-based router can be configured to send either segment or end-to end LB cells on each VC. 
When OAM is activated on a VC, all incoming loopback cells on the VC are looped by default. 
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4.3.2.6.1.2.4 Alarm Indication Signal (AIS) and Remote Defect Information (RDI) 


AIS and RDI are types of cells used respectively for forwarding an alarm for a VC failure, or a sub-layer 
default, or acknowledging an AIS alarm or a failure on a VC, or a sub-layer default. 


Failures are detected by the OneOS-based router with a LOC alarm or LB alarm at the VC level, or by a 
physical failure such as Loss of Frames on the DSL interface. As long as a failure remains, RDI cells are 
generated every second, indicating that a failure has been detected by the end-point. 


Alarms Cells are similarly generated. When an AIS cell is received by the OneOS-based router on a given 
VC, an RDI cell is generated in the reverse direction with the same payload as the AIS cell received. This 
indicates to the remote end-point that an AIS alarm was received. The RDI and AIS payload contain a 20- 
byte field containing the address of the ATM node that generated the AIS node (that first detected the 
failure). 


Inversely, when an RDI cell is received by the OneOS-based router on a specific VC, cells are not 
generated. 


The OneOS-based router can be configured to manage AIS and RDI cells on each VC. AIS reception 
triggers RDI generation. An alarm detected on a VC automatically enables RDI generation. 
4.3.2.6.2 Permanent Virtual Channel Connectivity 
4.3.2.6.2.1 Loopback Ping 
Provided that a PVC manages ATM OAM cells, to generate a set of loopback cells on a PVC, use the 
following command in global configuration mode: 
CLI> ping atm port <0-3> vpi <0-255> vei <32-2048> { end-loopback | seg- 
loopback } [repeat <1-255>] [timeout <1-255>] 
4.3.2.6.2.2 | Permanent Virtual Channel Configuration (PVC/SVC) 
OAM is configurable, on each of the above-referenced functionality sets: CC, LB, AIS, and RDI. 
4.3.2.6.2.3. Management of a Virtual Channel 
To manage F5 OAM cells and loopback cells on a dedicated PVC, use the following command in 
PVC/SVC (=VC) configuration mode. 


Note: in the following CLI (pvc) > is used for any dedicated PVC (ipoa, pppoa, pppoeoa and voiceoa). 


CLI (pvc)> oam-pve manage 


When OAM cells are not taken into account on the PVC, use the following command: 


CLI (pvc)> no oam-pvc manage 


F5 OAM management is enabled by default. 
4.3.2.6.2.4 OAM F5 Loopback End-to-End 


To enable F5 OAM end-to-end loopback cell generation and monitoring, use the following commands in 
VC configuration mode: 


CLI (pvc) > oam end-loopback 


Some parameters can be adjusted: 


CLI (pvc)> oam-lb retry <up-count> <down-count> <retry-frequency> 
CLI (pvc)> oam-pve manage <frequency> 


up-count is the required number of loopback cells to receive, so that the ATM VC can be considered as 
up (default: 3). Similarly, the down-count is the number of lost loopback cells (not looped) required to 
consider the interface as down (default: 5). When the ATM VC encounters a state change (going up or 
down), loopback cells are sent temporarily much faster than usual. The ret ry-frequency provides the 
interval in seconds between each loopback cell emission during this transient phase (default: 1 sec). The 
frequency parameter provides the emission interval of loopback cells for normal working conditions 
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(default: 10 sec). 
To disable F5 OAM loopback end-to-end, use the following command: 


CLI (pvc)> no oam end-loopback 


F5 OAM end-to-end loopback is disabled by default. 
4.3.2.6.2.5 | F5 OAM Loopback Segment 


To enable F5 OAM segment loopback cell generation and monitoring, use the following commands in VC 
configuration mode: 


CLI (pvc) > oam seg-loopback 


Some parameters can be adjusted: 


CLI (pvc)> oam-lb retry <up-count> <down-count> <retry-—frequency> 
CLI (pvc)> oam-pve manage <frequency> 


The parameters are the same as those for F5 OAM loopback end-to-end. To disable F5 OAM loopback 
segment, use the following command: 


CLI (pvc)> no oam seg-loopback 


F5 OAM segment loopback is disabled by default. 
4.3.2.6.2.6 | F5 OAM Continuity Check End-to-End 


To enable F5 OAM end-to-end continuity-check cells generation and monitoring, use the following 
commands in PVC configuration mode: 


CLI (pvc) > oam end-cc 
CLI (pvc)> oam-pve manage 


To disable the F5 OAM end-to-end continuity check, use the following command: 


CLI (pvc)> no oam end-cc 


The OAM end-to-end continuity check is disabled by default. 
4.3.2.6.2.7. F5 OAM Continuity Check Segment 


To enable F5 OAM segment continuity check cells generation and monitoring, use the following 
commands in PVC configuration mode: 


CLI (pvc)> oam seg-cc 
CLI (pvc)> oam-pve manage 


To disable the F5 OAM segment continuity check, use the following command: 


CLI (pvc)> no oam seg-cc 


F5 OAM segment continuity check is disabled by default. 
4.3.2.6.2.8 F5 OAM AIS RDI 


To enable F5 OAM AIS and RDI generation and monitoring, use the following commands in PVC 
configuration mode: 


CLI (pvc)> oam ais-rdi 
CLI (pvc)> oam-pve manage 


To disable F5 OAM AIS RDI management, use the following command: 


CLI (pvc)> no oam ais-rdi 


F5 OAM AIS RDI is enabled by default. 
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Some parameters can be optionally adjusted: 
CLI (pvc)> oam-man aisrdi-down <3-60> aisrdi-up <3-60> 


The first parameter provides the number of AIS/RDI to consider the interface down, the second to consider 
the interface up. 


4.3.2.6.2.9 | F5 OAM Intrusive Management 


To take into account OAM alarms for changing the availability of ATM PVC, use the following command in 
PVC configuration mode: 


CLI (pvc)> oam-pve [manage] intrusive 
The effect is that the upper layer supported by the ATM VC is informed of any state change of the 
interface. Application cases: 


e The IPOA/PPPoA/PPPoEOA PVC can be informed that the interface is down. Then, the corresponding 
IP interfaces are considered then as down. The result: the routes to this interface take an infinite cost, 
which makes it possible to re-route rapidly traffic on a backup interface. 


e FRF.5: the HDLC interface can be taken down during the unavailability of the ATM PVC. This enables 
to signal to the connected Frame Relay equipment that the connection is not available. In this case, 
the connected device can send traffic on a backup interface. 


e FRF.8: all DLCI supported by this ATM VC are signaled as unavailable. The signaling is achieved 
using LMI. 


To disable intrusive ATM PVC monitoring, use the following command: 


CLI (pvc)> no oam-pve intrusive 
F5 OAM intrusive management is enabled by default. 
4.3.2.6.2.10 Configuration Example 
In this example, the VCI 33 is used for connecting a private network to the Internet through IPoA service, 


while the VCI 49 is used for a PPP connection between the OneOS-based router and the remote computer 
named PC1. 








Internet 














Lc] 









ONE 400 


a 
~~ <-> 


router 













50.0.0.4_ VP0 VC 33 














53.0.0.4 VP 1 VC 49 














Configuration File (CLI): 


! ### OAM Event configuration 

event filter add atm ATM_OAM ALL SHOW 
configure terminal 

! ### Configuration Gshdsl interface 
interface atm 0 

gshds1l 

execute 

exit 

! ### Configuration ATM interface 
driver ident 0 
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range vc min 32 max 64 

range vp min 0 max 5 

max vc 8 

max vp 4 

execute 

exit 

exit 

! ### Configuration pve ipoa 
interface atm 0.1 

pve ipoa vpi 0 vci 33 

ip address 51.0.0.4 255.255.255.0 
! ### set seg-cc and ais-rdi 

oam ais-rdi seg-cc 

! ### validate oam configuration 
oam-pvc manage 

execute 

exit 

exit 

! ### Configuration pvc pppoa 
interface atm 0.2 

pvc pppoa vpi 1 vci 49 

ip address 53.0.0.4 

ipep static 

authentication no 

! ### set end-loopback and ais-rdi 
oam ais-rdi end-loopback 

! ### validate oam configuration and turn the pvc to intrusive 
oam-pvc manage intrusive 

execute 

exit 

exit 

exit 


4.3.2.6.2.11 Statistics 


Use the following commands to display OAM statistics. To display OAM counters, OAM configuration and 
alarms on a VC, use the following show command: 


CLI> show atm pvc port <atm-port> vpi <VP-identifier> vei <VC-identifier> 


For example: 


CLI> show atm pvc port 0 vpi 0 vci 33 
OAM frequency: 10 second(s), OAM retry frequency: 1 second(s) 
OAM up retry count: 3,OAM down retry count: 5 
OAM CC Seg status: OK 
OAM AisRdi status: enabled 
OAM VC state: managed 
OAM cells received: 150 
F5 InEndLpbk: 0, F5 InSegLpbk: 0 
F5 InEndLoop: 0, F5 InSegLoop: 0 
F5 InEndAis: 0, F5 InEndRDI: 0 
F5 InSegAis: 0, F5 InSegRDI: 0 
F5 InEndcc: 0, F5 InSegCc: 150 
OAM cells sent: 201 
F5 OutEndLpbk: 0, F5 OutSegLpbk: 0 
0 























F5 OutEndLoop: 0, F5 OutSegLoop: 0 
F5 OutEndAIS: 0, F5 OutEndRDI: 25 
F5 OutSegAis: 0, F5 OutSegRDI: 0 
F5 OutEndcc: 0, F5 OutSegCC: 176 


OAM cell drops: 0 
Status: UP, last Change of Status: 2507 
OAM AIS down: 3, Up: 3 
For displaying the total OAM cells sent and received on the ONE router, use the following show command: 


CLI> show atm traffic 
Total OAM cells received: 220 
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4.3.3 


4.3.3.1 


4.3.3.2 


Total OAM cells sent: 271 


Ethernet in the First Mile —- EFM 
Introducing EFM 


What is EFM? 


Ethernet in the First Mile or EFM, also known as IEEE 802.3ah, applies Ethernet in the access network. 
Access networks migrate gradually from ATM based to Ethernet based: ATM switches and DSLAMs are 
replaced by Ethernet switches and IP DSLAMs. EFM has been defined for fiber, SHDSL and VDSL links to 
replace ATM also in the First Mile. 


The First Mile (some call it the Last Mile) is the name traditionally given to the part of a public 
communication network that links the last provider-owned node (the central office or CO, the street cabinet 
or pole) with the customer premises equipment (CPE). The First Mile looks into it from the customer's 
perspective, the Last Mile from the operator’s perspective. 


The Last Mile can be seen as a bottle neck in the communication network, as the bandwidth is less than in 
the rest of the network. EFM does not improve or replace the existing Ethernet standard; it is an extension 
of Ethernet technology. The EFM terminology when it is applied to SHDSL links is called 2BASE-TL. 


Ethernet 


Ethernet began as a broadcast local area network technology as a best effort delivery protocol. Occasional 
frame disruptions due to collisions or signal noise were expected and tolerated. 


These days, Ethernet is omnipresent. It is easy to configure, cost-effective, highly scalable and supports a 
wide range of services such as data, voice and video. This makes it well suited to the demands of the First 
Mile, bridging the gap between the provider network and the subscriber network, making use of cable or 
Digital Subscriber Line (DSL). 


However, quality demands in First Mile connection networks using EFM are much higher compared to LAN 
networks. High availability and sophisticated tools to manage and troubleshoot the EFM networks are a 
must for providing the high level of service customers require. Performance must be monitored, and any 
errors in the network must be detected and isolated very quickly. 


Therefore, issues required for mass deployment of Ethernet services, such as OAM (Operation, 
Administration and Maintenance) and compatibility with existing technologies, have all been dealt with in 
the EFM standard. 


More simple architecture 


The use of EFM in subscriber access applications eliminates unnecessary network layers such as ATM. 
The elimination of network layers reduces the number of network elements in a network, and that reduces 
equipment costs, operational costs, and complexity. 


OAM - Operations, Administration and Maintenance 
EFM OAM in accordance with IEEE 802.3ah is a mechanism that provides information, event notification, 
variable retrieval, and loopback controls between the CPE and the DSLAM. 


The actual use of the OAM functionality is optional. A device is able to determine whether or not a remote 
device has the OAM functionality enabled. The OAM Discovery mechanism ascertains the configured 
parameters, such as maximum allowable OAM PDU size, and supported functions such as OAM remote 
loopback, on a given link. 


For more detailed information about the OAM mechanism, refer to section 5 of IEEE Std. 802.3-2005; 
more specifically section 57 Operations, Administration, and Maintenance (OAM). 


Purpose of OAM 


OAM is a mechanism to: 
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e Monitor the functionality, link operation and health of the EFM network. 
e Detect failures and improve fault isolation. 

e Propagate these failures to end nodes. 

e Monitor the performance of the EFM network. 


The OAM mode can be set to active, passive, auto, or can be disabled. The OAM mode is further 
discussed below. 


OAM PDUs or protocol data units 


OAM information is conveyed in protocol frames called OAM Protocol Data Units or OAM PDUs that are 
sent between two ends of a single link. OAM PDUs contain the appropriate control and status information 
used to monitor, test and troubleshoot OAM-enabled links. 


OAM discovery 
e OAM discovery allows a local device to detect OAM on a remote device. 


e Once OAM support is detected, both ends of the link exchange configuration and status information 
e.g. mode, PDU size, loopback support. 


e If both ends are satisfied with the settings, OAM is enabled on the link. 


e —_ Loss of link and non-reception of PDUs for 5 seconds will cause the discovery process to restart. 


OAM remote loopback 


e OAM remote loopback can be used for fault localization and link performance testing. Statistics from 
both the local and remote DTE can be queried and compared at any time while the remote DTE is in 
OAM remote loopback mode. 


e OAM loopback is a process that is used to verify whether a link is truly up or down. This is done by 
sending (and receiving) OAM Loopback PDUs between both ends of the link. 


e OAM loopback can be started or stopped on the device, by using the oam command. 


e The Local DTE sends loopback control PDUs, the remote DTE acknowledges by sending information 
PDUs with updated state information. 


OAM Active mode 


A device configured in active mode initiates the exchange of Information OAM PDUs. Once the Discovery 
process completes, active devices are permitted to send any OAM PDU while connected to a remote OAM 
device in active mode. Active devices operate in a limited respect if the remote OAM device is operating in 
passive mode. Active devices do not respond to OAM remote loopback commands and variable requests 
from a passive device. 


A device can be set to active mode using the oam command, which is explained further below. 
A device in active mode: 

e Initiates the OAM Discovery process. 

e Sends Information PDUs. 

e May send Event Notification PDUs. 

e May send Variable Request/Response PDUs. 

e May send Loopback Control PDUs. 


A device in active mode does not: 


Respond to Variable Request PDUs from other DTE in Passive mode. 


React to Loopback Control PDUs from other DTE in Passive mode. 
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OAM Passive mode 


Devices configured in passive mode do not initiate the discovery process. Passive devices react to the 
initiation of the discovery process by the remote device. This eliminates the possibility of a link being 
established between two passive devices. Passive devices do not send Variable Request or Loopback 
Control OAM PDUs. 


A device can be set to passive mode using the oam command, which is explained further below. 
A device in passive mode: 

e Waits for the remote device to initiate the discovery process. 

e Sends Information PDUs. 

e May send Event Notification PDUs. 

e May respond to Variable Request PDUs. 

e May react to Loopback Control PDUs received. 

A device in passive mode is not permitted to send: 

e Variable Request PDUs. 

e Loopback Control PDUs. 


4.3.3.3. Configuration 


Enter the interface number to configure the EFM interface (the interface is created if it does not exist): 


CLI> configure terminal 
CLI (configure)> interface efm <0-8>/<0-6>[.<1-255>] 
CLI (conf-if)> 





This will activate the EFM interface and enter the configuration mode of the interface. The interface 
number is a logical number; it does not have a physical meaning. 


Note: As of V4.2 software release, only one EFM interface, the EFM interface 0, can be activated. 
For example: 


CLI> configure terminal 
CLI (configure)> interface efm 0 
CLI (conf-if)> 


4.3.3.3.1 Configuration command overview 


The following gives an overview of the available configuration commands: 


+---efm 

| +---active-link-number 
| +---active-—user-speed 
| +---arp 

| +--—-bandwidth 

| +---bridge-group 
| +---crypto 

| +---default 

| +---description 

| +---dsl-group 

| +---encapsulation 
| 

| 

| 

| 

| 

| 

| 

| 


+---exit 
+---ip 
+---keepalive 
+---no 
+---oam 
+-———pppoe 


+---pppoe-client 
+---service-policy 
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| +---shutdown 
| +---virtual 
| +---vrrp 


4.3.3.3.2 | EFM configuration commands 


Use the following command to set the number of line pairs that have to be up for considering the whole link 
as up and running, default: 1. <link-number> range can be set between 1 and 4. 


CLI (conf-if)> active-link-number <link-number> 


For example: 
CLI (conf-if)> active-link-number 2 
CLI (conf-if)> 


This requires two line pairs to be up to consider the whole link as up. 


Use the following command to set the minimum total speed (sum of the speed of all lines that are up) to 
consider the whole link as up. The default value is 0, meaning that the link is always up. 


CLI (conf-if)> active-user-speed <user-speed> 


The <user-speed> range can be set between 0 and 22784 Kbps. 


Use the following command to set the ageing time of the ARP cache entries. 


All the “MAC address - IP address” pairs from ARP requests and replies received on the EFM interface are 
kept in the ARP cache. However, if devices on the network are reconfigured then this “MAC address - IP 
address” relation may change. Therefore, the ARP cache entries are automatically removed from the 
cache after a fixed time-out. This time-out period can be set with this command, and is expressed in 
seconds, default: 3600 sec. 


CLI (conf-if)> arp timeout <value> 


<value> is being the time-out value. Its range can be set between 0 and 2147483 seconds. 


Use the following command to set the bandwidth informational parameter, default: 100000. Refer to the 
Policy Nesting paragraph of the Quality of Service chapter for more information about the use of the 
bandwidth command. 


CLI (conf-if)> bandwidth <value> 


<value> range can be set between 1 and 100,000 Kbps. 


Use the following command to assign the EFM interface to a bridge group. 


CLI (conf-if)> bridge-group <bridge-id> 


<bridge-id> range can be set between 1 and 65535. 
A bridge-group is a unique, arbitrary identifier designating BVI membership of physical interfaces. 


Multiple bridge groups can exist in one device. This means you can group some interfaces in one bridge 
group while you group several other interfaces in another bridge group. By doing so, it is as if you created 
several “simple” bridge devices within one device. 


Use the following command to apply an IPsec map to the EFM interface. 


CLI (conf-if)> crypto map <WORD> 


<WORD> is being the name of the IPsec map. 
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Refer to 4.7 IP Security for more information about IPsec. 


Use the following command to fill in a general description for the EFM interface. A maximum of 100 
characters are allowed. 


CLI (conf-if)> description <description_of_the_interface> 


Use the following command to select a DSL group. This command links the DSL group to the interface. 


CLI (conf-if)> dsl-group <dsl_group_number> 


Refer to 4.3.2.3.2.2 Setting up a DSL-group for more information. 


In order for a VLAN interface to function, a VLAN ID must be set using the following command in interface 
configuration mode: 


CLI (conf-if)> encapsulation dot1Q <vlan-id> [native] 
<vlan-id> is being an integer ranging from 1 to 4095. It has no default value. If the Keyword native is 
present, this VLAN becomes a native VLAN. On native VLAN, only IEEE 802.3 encapsulation is used (no 
VLAN header is included in the frame). They are targeted for use with LAN stations, which are part of a 
VLAN but not able to decode IEEE 802.1Q encapsulated frames (use of conventional Ethernet frames). 


Only one single native VLAN per port can be declared as no VLAN header is present to discriminate two 
VLAN. 


To remove dot1Q encapsulation, use the command: 


CLI (conf-if)> default encapsulation 


Use the following command to configure the IP related parameters of the EFM interface. 


CLI(conf-if)> ip... 


Refer to 4.5 IP Addressing and Routing for more information about IP. 


In some cases, it is desirable to force the EFM port in status up, although no cable is connected. This 
permits the testing of some functions (e.g. routing) before connecting the router to a live customer network. 


CLI (conf-if)> keepalive 
CLI (conf-if)> 


Use the following command to enable or disable OAM on the EFM interface. For more information about 
OAM, refer to 4.3.3.2 OAM — Operations, Administration and Maintenance. 


CLI(conf-if)> oam {disable | auto | active | passive} 


The possible values for oam are: 


e active: This activates the OAM Discovery process: the OneOS-based router actively monitors the 
EFM link. 


e passive (default): This sets the OAM mode to passive; this means that the OneOS-based router 
waits for the remote device to initiate OAM actions. 


e auto: This means that the OneOS-based router actively monitors the EFM link AND waits for the 
remote device to initiate OAM actions. 


e disable: This disables the OAM mechanism in the OneOS-based router. The EFM link will not be 
monitored. 


Use the following command to enable a PPPoE service profile on the EFM interface. 


CLI (conf-if)> pppoe enable <profileName> 


<profileName> is being the name of the PPPoE service profile. 
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Use the following command in configure mode to enable a BBA-group — Broadband Access Group — on 
the EFM interface. 


CLI (configure)> bba-group pppoe <bba-group-name> 
CLI (pppoe) > 

<bba-group-name> is being the name of the BBA group. 

Then exit the PPPoE configuration: 
CLI (pppoe) > exit 


CLI (configure) > 


Refer to 4.3.6 PPPoE on Ethernet Uplink for more information about BBA-groups. 


Use the following command to assign a dial pool number to the interface. 
CLI (conf-if)> pppoe-client dial-pool-number <poolNumber> 
A PPPoE interface is considered in the configuration as a logical dialer interface. This dialer interface is 


attached to one physical interface. The attachment between logical and physical interface is determined by 
the dialer pool membership id <poolNumber>. 


Refer to 4.3.5 PPP Virtual Template Configuration and 4.3.6 PPPoE on Ethernet Uplink for more 
information on the dial pool number. 


Use the following commands to apply a policy-map on the interface, in the inbound or in the outbound 
direction. 


CLI (conf-if)> service-policy input <policy-map> 
CLI (conf-if)> service-policy output <policy-map> 
<policy-map> is being the name of the applied policy-map. 


Refer to 4.15.2.2 Policing, Marking, and Scheduling and 4.15.2.14 Policy Nesting for more information 
about policy-maps. 


In order to be able to use the Virtual Router Redundancy Protocol (VRRP), this feature must be enabled 
on the interface. To do so, proceed as follows: 


CLI (conf-if)> virtual interface-status 

CLI (conf=-if)> 
A single virtual MAC address can be enabled on the interface. To enable the use of a virtual MAC address, 
proceed as follows: 

CLI (conf-if)> virtual mac-—address 


CLI (conf=-if) > 


For more information about VRRP, refer to 4.23. 


Use this command to set the identification of the virtual router. The vrrp range can be set between 1 and 
255. Proceed as follows: 


CLI (conf-if)> vrrp <1-255> 


For more information about VRRP, refer to 4.23. 


Use the following command to shutdown an interface. This means that it will no longer able to receive and 
send data packets. 


CLI (conf-if)> shutdown 


To restart the interface, use the 'no' form of the command: 
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CLI (conf-if)> no shutdown 


If an interface is shutdown, the address or addresses assigned to that interface will be unreachable. If one 
pings one of the interface addresses, it will not work. 


Use the 'no' command to stop another configuration command that is running. For example: 


CLI (conf-if)> no keepalive 
CLI (conf-if)> 


Use the default command to restore the default settings of certain commands. 


For example, the following command sets the bandwidth back to the default value: 


CLI (conf-if)> default bandwidth 
CLI (conf-if)> 


Use the following command to exit the EFM interface configuration mode. 


CLI (conf-if) >exit 
CLI (configure) > 


4.3.3.4 Status information 


To display interface statistics of a configured EFM interface, use the show interfaces command. 
For example: 


CLI (conf-if)> show interfaces efm 0 
efm 0 is up, line protocol is up 
Flags: (0x8063) BROADCAST MULTICAST ARP, interface index is 5202 
Description: EFMO 
Encapsulation: Ethernet v2, MTU 1500 bytes 
Up-time 4d19h27m, status change count 1 
Hardware address is 08:00:51:03:19:91, ARP timeout 0 sec 
No auto-negotiation, half-duplex 
Line speed unknown 
ean IP input/output rate 0/0 bits/s, 0/0 packets/s (over the last 4 
seconds) 
Bridged to group 65535 
Output queuing strategy: fifo, output queue length/depth 0/126 
Reliability: 255/255 
IN: 201612 packets, 12103580 bytes, 0 queue drops 
0 broadcasts, 0 multicasts, 0 errors, 6 discards 
14 unknown protocols 
OUT: 201477 packets, 10132769 bytes, 0 queue drops 
0 broadcasts, 0 multicasts, O errors, 0 discards 

















To display OAM statistics of a configured EFM interface, use the show efm command. 


For example: 


CLI (conf-if)> show efm 0 oam 


OAM Status 
discovery : fault 
loopback : idle 
localinfo remoteInfo 
version : 1 0 
revision : 65535 0 
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state 
muxAction forwarding forwarding 
parserAction forwarding forwarding 
oui 00 12 EF 00 00 00 
vendorInfo 00 00 00 00 00 00 00 00 
varRetrieval notSupported notSupported 
linkEvents interpreted ignored 
loopback supported notSupported 
unidirectional notSupported notSupported 
mode active passive 
maxPduSize 0 0 
OAM Statistics 
Rx Tx 
information 0 0 
uniqueEventNotif 0 0 
loopbackCtrl 0 0 
varReq 0 0 
varResp 0 0 
orgSpecific 0 0 
unsupportedCodes 0 0 
pduDiscard 0 0 
dataDiscards 0 0 

















4.3.4 Serial HDLC Interfaces 


Serial interfaces support HDLC-based protocols, which include Frame Relay and PPP. 
The commands to enter in serial interface configuration mode and set the protocol are: 


CLI (configure)> interface serial 0/0 
CLI (config-if)> encapsulation { PPP | frame-relay } 


4.3.4.1 V.11/V.35/V.28/V.36 


The serial interface is also referred to as the Vxx interface, since the interface supports several serial 
protocols (V.11/V.35/V.28/V.36). Serial interfaces in the OneOS-based routers are automatically detected 
by the chipset by auto-detecting the connected cable. To start the Vxx Line configuration, the user must 
enter into the configuration mode using the command: 


CLI> configure terminal 


The CLI enters into the Vxx Line configuration mode (config-if), when typing the next command: 


CLI (configure)> interface serial <slot number>.<port number> 


Currently, <slot number> must be set to 0 and <port number> must be set to 0. 


To configure the physical layer the following command is required: 


CLI (config-if)> physical-layer 


Once the Vxx interface is created, the user can choose the configuration mode: 


Either you want the Vxx Interface to be checked during configuration. In that case, the entered CLI 
commands will be checked against the detected cable type. 


Or you want the interface not to be checked and enter directly in configuration mode. In case no cable is 
plugged. 
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The command to be entered in checking mode is (default mode): 


CLI (ph_layer)> verify 


The command to remove the checking mode is: 





CLI (ph_layer)> no verify 


Some parameters can be chosen before starting the Vxx interface. All the following parameters are 
optional. The related commands and parameters for physical layer are: 


mtu <integer>: This command specifies the Maximum Transmit Unit (MTU) used on that physical 
interface. The integer value should be between 1 and 1600. The default value is 1500. 


CLI (ph_layer)> mtu 1500 


modulation <type>: This optional command forces a physical modulation type in the case not to use 
the default modulation associated with the detected cable. The proposed modulations are v28, v11-rs449, 
v11-rs530, v11-rs530a or v35. This parameter must also be provided if the equipment is in DCE 
mode and no cable is connected. 


CLI (ph_layer)> modulation v11-rs449 


no modulation: This command disable forced mode for modulation. The physical modulation used will 
be the one associated to the detected cable. It means v28 for a V.24 cable, v11-rs449 for X24 cable or 
V36 cable. 


CLI (ph_layer)> no modulation 


date: This optional command forces the physical mode to DTE (terminal equipment). In default mode the 
physical interface is chosen during cable detection. In default mode the outgoing signals are managed as 
described by the chosen modulation and the cable type. In dte mode, the user can choose to force the 
state (set, off) of outgoing signals 105 and 108 (see device installation guide). In the same way, in the 
default mode, the checked signals that determine the state of the Vxx line are bound to modulation and 
cable type. In dte mode, the user can choose the signals to be checked in order to determine the 
operational line state. We can check the signals numbered 106, 107 and 109 in DTE mode. 


To enter in DTE mode: 
CLI (ph_layer)> dte 


To force the 105 signal on: 





CLI (config-dte)> 105 set 


To force the 105 signal off: 
CLI (config-dte)> 105 off 


To let default management for the 105 signal: 








CLI (config-dte)> 105 default 


Commands are similar for signal 108. 
To force a check on signal 106 operational status: 
CLI (config-dte)> 106 check 


To disable a check on signal 106 operational status: 
CLI (config-dte)> 106 no 


To let default processing for the 106 signal: 








CLI (config-dte)> 106 default 


The same commands are available for 107 and 109 signals. 
To exit from DTE mode: 
CLI (config-dte)> exit 
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dce: This optional command forces the physical mode to DCE. In default mode the physical interface is 
chosen while detecting the cable type. In default mode the outgoing signals are managed as described by 
the chosen modulation and the cable type. In DCE mode the user can force the state (on, off) of outgoing 
signals 106, 107 and 109. Similarly, in default mode, the checked signals determining the state of the Vxx 
line are bound to modulation and cable. In DCE mode, the user can force the signals to be checked in 
order to determine the line operational state. Signals 105 and 108 can be checked in DCE mode. We can 
apply the same commands as DTE mode for DCE mode. 


no dte: This command is used to restore the default mode (DTE or DCE mode selected from the cable). 


CLI (ph_layer)> no dte 


no dce: This command is used to restore the default mode (DTE or DCE mode selected from the cable). 


CLI (ph_layer)> no dce 


sync encoding: Defines physical encoding mode. The value can be ‘nrz' or ‘nrzi'’. 











CLI (ph_layer)> syne encoding { nrz | nrzi } 


exit: Ends configuration of physical layer. 











CLI (ph_layer)> exit 


rate: This command changes the line rate. The default value is 2,000,000 bps. The value of line rate 
must be between 1,200 and 8,100,000 bps. 


CLI (ph_layer)> rate <linerate> 


Once the physical layer is set; the user can configure the link with the upper layer. 
The following commands are used: 


activity link timer: The command sets the physical interface Link Timer LT. The state of the 
interface is checked each LT in 1/10th of second. If the checked signals of the physical interface are down, 
the interface is considered as down. The value of LT must be between 0 and 500. 


CLI (config_if)> activity link timer <LT=number_of_1/10_of_second> 
activity link count: The command sets the physical interface link count LC. The value of LC must 
be between 0 and 250. 


CLI (config_if)> activity link count <LC=number_of_time> 


4.3.4.2 E1/T1 


To enter in E1/T1 interface configuration mode, use the following command (beginning in serial interface 
configuration mode): 


CLI (config-if)> physical-layer 
CLI (config-if)> g703-g704-interface 
CLI (ph-layer-eltl1)> 
Use the following command to select the alarm indication type: 


CLI (ph-layer-eltl)> ais-mode { itu | etsi } 


Default: itu. 


Use the following command to select the clock source (slave should be used when connected to a public 
network): 


CLI (ph-layer-eltl1)> clock { master | slave } 


Default: slave. 


Assuming that the interface is used in structured mode (G.704/G.703), you can select the time slots that 
are used. The interface supports a bundle of N time slots of 64 kbps (referred to as Nx64 mode, NxPx64 is 
not supported): 


CLI (ph-layer-eltl)> ts <tsl>[-<ts2>] 
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<ts1> is the selected time slot. If you enter <ts1>-<ts2>, all time slots between <ts1> and <ts2> are 
selected. These arguments must be between 1 and 31 for E1 (1 and 24 for T1). 


Example for a 1984 kbps E1 line: 
ts 1-31 


Example for a 1792 kbps E1 line excluding the time slots 5, 6 and 7: 
ts 1-4 
ts 8-31 
You must specify the type of connection (E1 or T1): 
CLI (ph-layer-eltl)> port-type { el | t1 } 
The command above makes the CLI enter in e1 or t1 configuration mode. From there, you can select 
some additional parameters. For E1, use: 
CLI (ph-layer-el)> framing { nil | ddf | mff-crc4 | mff-crc4-ext } 
CLI (ph-layer-el)> line-code { ami | hdb3 } 
Default: dd£ and hdb3. 
List of Acronyms: 
e  ddf: Double Frame 
e = mff-crc4: Multi-frame with CRC4 error correction 
e mff-crc4-ext: Extended Multi-frame with CRC4 error correction 


If you have selected port-type t1, the parameters are: 


CLI (ph-layer-t1)> framing { nil | £4 | £12 | esf | esf-crc6 | esf-crc6-Jjt 
| £72 } 
CLI (ph-layer-t1l)> line-code { ami | b8zs } 


From this sub-menu, enter exit 3 times. 
Example for 1984 kbps structured E1: 


interface serial 0/0 
encapsulation ppp 
physical-layer 

g703-g704-interface 
ts 1-31 
port-type el 
exit 
exit 
exit 
execute 
exit 


4.3.4.3 PPP over Serial Line Configuration 


If "encapsulation PPP' was entered in serial interface configuration mode, the next parameters must 
be then entered: 


profile: identifier of the upper layer profile. The profile is used when defining the PPP virtual template. 
The value of the profile number must be between 0 and 32. 


CLI (config_if)> profile <profile_number> 


execute: The command concludes the physical interface configuration putting into place the parameters 
that have been set. 


CLI (config_if)> execute 


Example with V.11: 
virtual-template ppp 1 
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ipcep static 

ip address 10.10.10.11 
authentication no 
execute 

exit 


interface serial 0/0 
physical layer 

no verify 

rate 2000000 
modulation v1ll1-rs530 
dte 

109 check 

106 check 

exit 

exit 

profile 1 

execute 

exit 


Example with E1: 


virtual-template ppp 1 
ipcp static 

ip address 10.10.10.11 
authentication no 
execute 

exit 


interface serial 0/0 
physical layer 
g703-704 
ts 1-31 
port-type el 
exit 
exit 
exit 
profile 1 
execute 
exit 


4.3.4.3.1 Debugging PPP over Serial 


4.3.4.4 


4.3.4.4 


To debug and decode the PPP protocol, use the following command: 


CLI> serial-capture vxx0 [ console | file ] [ verbose {1 | 2 |3} ] 
Frame Relay over Serial Interface 
1 Features 


The Frame Relay is supported on the WAN serial interface. 


Fragmentation can be enabled on PVC. The fragmentation is achieved as described in the FRF.12 
specification of the Frame Relay Forum. Fragmentation is recommended when real-time traffic must be 
transported over a multi-PVC uplink. Fragmentation prevents large fragments from non real-time PVC to 
block the emission of real-time packets. 


The Link Fragmentation-and-Interleaving (LFl) is also supported. The LFl enables the insertion of non- 
fragmented frame between fragments of a large packet. It is used for example for Voice over IP/FR traffic, 
the frame length of which is rather short (<64 bytes). Without LFI, large IP packets prevent the emission of 
real-time, short packets, thus resulting unacceptable jitter and latencies. For example, a 1500-byte packet 
delays the emission of real-time traffic by 47 ms on a 256 kbps serial line. 


The Frame Relay Traffic Shaping is based on a single token bucket. The FR traffic is shaped at the 
Committed Information Rate (CIR), with the following formula: CIR = Bc/Tc 
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Where Bc is the committed burst and Tc the integration period during which the scheduler computes the 
shaping. The depth of the token bucket is of size Be (Burst exceeded) that designates the number of bytes 
emitted beyond the CIR. Frames sent as part of the Be are tagged with DE=1 (Discard Eligibility). 
Otherwise DE=0. The Bc, Be and CIR parameters are configurable per PVC. Note that DE can also be 
tagged based on the DiffServ classes or routing policies. 


OneOS-based routers consider the network is congested when more than 50% of the received frames are 
tagged with the Backward Explicit Congestion Notification (BECN). During congestion, the shaping rate is 
lowered, until it has reached the CIR min value. 


4.3.4.4.2 Configuration 


The following commands are used to create a Frame Relay (FR) PVC. A PVC is a sub-interface of the 
serial interface. To create a FR PVC, we must first complete the serial interface configuration as follows: 


CLI (configure)> interface serial <slot>/<port> 
CLI (config-if)> encapsulation frame-relay 


4.3.4.4.2.1 LMI Configuration 


By default, the LMI is activated in NUI mode, using the Q.933 Annex A standard. If you wish to change 
these parameters, the following command lines can be used: 


CLI (config-if)> frame-relay lmi-mode { uni | nui | nni | none } 
CLI (config-if)> frame-relay lmi-norm { q933 | ansi } 


You can tune some LMI parameters: 


CLI (config-if)> frame-relay keepalive <5-30> 


To change the T391 DTE timer in seconds (default: 10 sec): 
CLI (config-if)> frame-relay lmi-n39ldte <1-255> 


To change the N391DTE counter (default: 6): 


CLI (config-if)> frame-relay lmi-n392dce <1-10> 


To change the N392DCE counter (default: 3): 


CLI (config-if)> frame-relay lmi-n392dte <1-10> 


To change the N392DTE counter (default: 3): 


CLI (config-if)> frame-relay lmi-n393dte <1-10> 


To change the N393DTE counter (default: 4): 


CLI (config-if)> frame-relay lmi-n393dce <1-10> 








To change the N393DCE counter (default: 4): 
For statistics about LMI, use: 


CLI> show statistics serial <slot>/<port> [ lmi ] 
4.3.4.4.2.2 | Completing Serial Interface Configuration 
When LMI is configured, complete the interface configuration by entering the next commands: 


CLI (config-if)> execute 
CLI (config-if)> exit 





4.3.4.4.2.3 | Frame-Relay QoS Configuration (Optional) 


The FR QoS parameters are configured inside a class map. To create a FR class map, enter: 


CLI (configure)> map-class frame-relay <map-class-—name> 
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You can define the token bucket parameters as follows: 


CLI (config-map-class)> cir <0..200000 in kbps> 


Optional parameters: 





CLI (config-map-class)> be <100..51200000> (Burst committed in bytes) 


By default, the Burst Committed Bc is calculated as CIR*Tc, with Tc = 100 msec. Changing Bc results in 
changing Tc. 


CLI (config-map-class)> be <0..51200000> (Burst exceeded in bytes, default value: 0) 


CLI (config-map-class)> minCIR <0..200000> (Minimum emission Committed Information 
Rate for congestion periods in kbps) 


CLI (config-map-class)> [no] activate-shaping 
Activates the congestion monitoring (BECN count) thereby enabling to lower the shaping rate till MinCIR 
during congestion. By default, it is not activated. 
CLI (config-map-class)> fragment <16..1600> (size of fragments in bytes. By default, 
fragmentation is disabled) 


CLI (config-map-class)> priority qos-group <0..63> 


The virtual QoS group is chosen for prioritization with LFI. In other words, if you want to activate LFl, you 
need to configure the IP QoS such that some packets are marked internally with a virtual QoS group. If a 
packet is marked with that group and is short enough for not being fragmented, then it can be inserted 
between large packet's fragments (interleaving). 


4.3.4.4.2.4 | DLCI Configuration (Required) 


Entering the following commands allows a serial sub-interface to be created for the FR PVC: 


CLI (configure)> interface serial <slot>/<port>.<sub-interface-id> 


'"<slot>.<port>!' refers to the serial port for which the FR encapsulation was previously set. The 
'<sub-interface-id>' is an arbitrary number (ranging from 1 to 255) identifying the sub-interface. It 
makes the CLI enter in sub-interface configuration mode. If you use an IP QoS, it must be declared here, 
under this sub-interface configuration level. 


It is necessary to assign an IP address to the frame relay port: 


CLI (config-if)> ip address <ip-address> [<mask>] 


Then the user must enter a valid DLCI number for the Frame Relay circuit. 

CLI (config-if)> frame-relay interface-dlci <dlci-value> 
If you wish to manage Frame Relay QoS on that DLCI, apply the Frame Relay map-class defined 
previously: 


CLI (config-if)> frame-relay class <map-class-name> 


The execute command must be entered to validate the changes: 


CLI (config-if)> execute 
CLI (config-if)> exit 


4.3.4.4.2.5 PVC Prioritization 


To enable this feature, first enter in serial interface configuration mode and enable priority queuing: 


CLI (configure)> interface serial <slot>.<port> 

CLI (config-if)> frame-relay interface-queue priority [ <1..255> <1..255> 
<1..4255> <1..255> -] 

CLI (config-if)> execute 

CLI (config-if)> exit 
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The 4 figures provided at the end of the 'frame-relay interface-queue priority' command are 
optional. They represent the size of queues for the high, medium, normal and low priority queues. The 
default values are: 


- High: 20 
- Medium: 40 
- Normal: 60 
- Low: 80 


Then, you can assign the PVC priority in the corresponding map-class as follows: 


CLI (configure)> map-class frame-relay <map-class-name> 

CLI (config-map-class)> interface-queue priority { high | medium | normal 
| low } 

CLI (config-if)> exit 





Example 1: Frame Relay without QoS 


configure terminal 

interface serial 0/0 
encapsulation frame-relay 
execute 

exit 

interface serial 0/0.1 

ip address 10.10.10.1 255.255.255.0 
frame-relay interface-dlci 20 
execute 

exit 

exit 


Example 2: Frame Relay Shaping 


configure terminal 

map-class frame-relay shaperl 
cir 100 

be 1250 

be 500 

mincir 60 

adaptive-shaping 

exit 


interface serial 0/0 
encapsulation frame-relay 
execute 

exit 

interface serial 0/0.1 
frame-relay class shaperl 

ip address 10.10.10.1 255.255.255.0 
frame-relay interface-dlci 20 
execute 

exit 

exit 


Example 3: Frame Relay Shaping with Fragmentation 


configure terminal 

map-class frame-relay shaperl 
cir 100 

be 1250 

be 500 

mincir 60 

adaptive-shaping 

fragment 128 

exit 


interface serial 0/0 
encapsulation frame-relay 
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execute 

exit 

interface serial 0/0.1 

frame-relay class shaperl 

ip address 10.10.10.1 255.255.255.0 
frame-relay interface-dlci 20 
execute 

exit 

exit 


Example 4: Frame Relay Shaping with Fragmentation and LFI 


configure terminal 


Configure a class map called 'voice' 


class-map voice 
match 
exit 


! Define the QoS policy to mark packets with the virtual QoS group 12 
policy-map policy1l 
class voice 

set qos-group 12 

! 


exit 
exit 


map-class frame-relay shaperl 
cir 100 

be 1250 

be 500 

mincir 60 

adaptive-shaping 

fragment 128 

priority qos-group 12 

exit 


interface serial 0/0 

encapsulation frame-relay 

execute 

exit 

interface serial 0/0.1 

! Apply the IP QoS policy to an interface 
service-policy output policyl 
frame-relay class shaperl 

ip address 10.10.10.1 255.255.255.0 
frame-relay interface-dlci 20 
execute 

exit 

exit 


4.3.4.4.3 Statistics 


CLI> show statistics frame-relay 








IP over Frame Relay Statistics 








Vxx - Port 0 / Slot 0 / Sub-Interface 1 
DLE 2 67 

IP address : 10.10.10.11 

Status : UP 





Rx statistics 
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0 packets received 
No errors 





Tx statistics 





O packets sent 
No errors 











To display the traffic shaping statistics: 


CLI> show frame-relay traffic-shaping 


To reset the traffic shaping statistics: 


CLI> clear frame-relay traffic-shaping 


To show the FR configuration: 


CLI> show frame-relay class-service 


4.3.4.5 Serial Line Statistics 


To view information about the physical layer status, use: 


CLI> show { el | vxx } 


The following command displays the interface configuration: 


CLI> show configuration interface serial [ 0/0 ] 


The statistics are displayed using the following command: 


CLI> show statistics interface serial [ 0/0 ] 


4.3.5 PPP Virtual Template Configuration 
4.3.5.1 Bi-Directional CHAP & CHAP Server 


When the OneOS-based router must authenticate its PPP peer with CHAP, a control is made on the 
username and CHAP challenge handshake. The peer username and password are defined globally and 
are valid for all PPP connections. When a remote device is authenticated, OneOS-based router scans the 
list of usernames to determine the CHAP challenge. Peers are defined as follows from the configuration 
terminal: 


CLI (configure) > peer username <username> password <password> 
[<encryption>] 


When <encryption> is ‘0’, the password is entered in clear text. If ‘1’, it indicates the password is 
entered using the encryption algorithm #1. 


4.3.5.2. Entering in Virtual-Template Configuration Mode 


The PPP Virtual template defines a profile used for the PPP over Leased Line configuration. 
The virtual template profile is created by the command: 


CLI (configure) > virtual-template ppp <profile_number> 


The parameter <profile_number> identifies the template profile (range from 0 to 32). 
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4.3.5.3 


PPP Client Configuration 


4.3.5.3.1 IPCP Parameters 


If no mode is entered, this feature is disabled and the IP address must then be configured. 


If static mode is selected, the IPCP service functions in static mode. In this case the IP address must be 
configured and is checked by the remote equipment (the OneOS-based router and the remote device must 
have the same data configured -such as the IP address-). 


If dynamic mode is selected, the IP address for the interface is obtained via PPP/IPCP from the next hop 
router. 


CLI (config-virt-ppp)> ipep { static | dynamic | no } 


If dynamic mode is selected, the network mask can also be obtained via PPP/IPCP. 
CLI (config-virt-—ppp) > ipep mask-request 
Note: If mask-request is used, the "ip unnumbered <interface>" command is mandatory for 
the IP address and the network mask apply to <interface> otherwise they will apply to PPP. 
If you want to retrieve the DNS server address per IPCP use the next command: 


CLI (config-virt-—ppp)> ipep dns—-accept 


4.3.5.3.2 IP Address 


4.3.5.3 


The IP address must be set if dynamic IPCP is not used. By default, dynamic IPCP is set and you do not 
need to set the IP address. To enter the IP address, use the following command: 


CLI (config-virt-—ppp)> ip address <ip_address> [<mask>] 
Instead of having an IP address, the local PPP interface can be unnumbered, thus saving some IP 
addresses. The configuration is the following: 


CLI (config-virt-ppp)> ip unnumbered { Loopback <lb-id> | 
Ethernet <slot>/<port>[.<vlan-if>] | 
FastEthernet <slot>/<port>[.<vlan-if>] | 
Atm <intf>.<port> | 
Serial <slot>.<port> } 


.3 Authentication Type 


Use this command to specify the authentication type. 
CLI (config-virt-ppp)> authentication { no | pap | chap | chap/pap } [ 
two-ways | one-way-callin | one-way-called ] 
In case of PAP authentication, the CPE must send a name and password that is checked against a 
matched entry in the local database of the remote router. 


In case of CHAP authentication, the CPE sends a “challenge” message to the remote device, which then 
encrypts the value with a shared key and returns it to the CPE. 


The authentication no command disables this function. By default, CHAP is enabled. 
The second argument defines the authentication types. They are: 
e two-ways: authentication is done by both sides. 


e one-way-callin (default): authentication material is sent to the remote device, but the remote 
device is not locally authenticated. 


e one-way-called: authentication material is not sent to the remote device (only username is sent), 
but the remote device must be authenticated. 


Note: for the current release, only bi-directional CHAP and CHAP server are supported. All other 
combinations are supported with the attribute one-way-callin. 
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4.3.5.3.4 | Username and Password 
This configuration command specifies the username and password (character string) used by the 
authentication protocol. 


The username may content a predefined string of the form #mac<i># that will be replaced during 
authentication by the corresponding MAC address of the device. 








Example: #macl#@my.com will be replaced by 0012EF44E276@my.com where 00:12:EF:44:52:76 is 
the MAC address #1 of the device as listed in the product information area. 




















The maximum permitted length of username is 64 characters; the maximum permitted length of password 
is 30 characters when entered in clear text and 128 characters when entered already encrypted. 


CLI (config-virt-—ppp) >username <username> 
CLI (config-virt-—ppp) >password <password> [<crypto-algorithm>] 





The username must be entered even if the authentication is ‘one-way-called’. 


If <crypto-algorithm> is not provided, the password is entered and stored in clear text. 
If <crypto-algorithm> = 0 is provided, the password is entered in clear text and stored encrypted. 
If <crypto-algorithm> = 1 is provided, the password is entered and stored encrypted. 


4.3.5.3.5 | Link Fragmentation and Interleaving (LF) 


LFI enables to reduce significantly transit delays for priority packets. To understand the under-laying 
properties of the IP QoS, please refer to Transit Delay Control. When activating LFI, the priority packets 
are encapsulated in PPP and low priority packets are transported in MLPPP. If low priority packets are too 
large, they are fragmented. Priority packets are transmitted after the current frame being emitted by the 
interface. 


To enable interleaving, use the following command: 


CLI (config-virt-—ppp)> multilink interleave 


Then you must set some MLPPP parameters: 


CLI (config-virt-—ppp) > multilink discriminator <class> <string> 
CLI (config-virt-—ppp)> multilink fragment-size <bytes> 


CLI (config-virt-ppp)> multilink header { long | short } 





CLI (config-virt-—ppp)> multilink max-revunit <bytes> 
The discriminator is used to identify to which bundle a link must be added. It must be usually 


configured (it depends on the remote end of the MLPPP connection). <class> is an integer ranging from 
1 to 5 and <string> is a string of 20 characters maximum. 


The max-rcevunit is the Maximum Remote Receive Unit (MRRU) and is by default 1500 bytes. 


4.3.5.3.6 | Completing Template configuration 


You must enter the following commands: 


CLI (config-virt-—ppp) > execute 


CLI (config-virt-—ppp) > exit 


4.3.5.3.7 Examples 


The following example illustrates how to configure a PPP connection over a V11 line: 
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configure terminal 
virtual-template ppp 0 
ipep static 

ip address 20.0.0.2 
mru local 1500 no 

mru remote 1500 no 
magic number not-—negotiable 
authentication no 
keepalive 1 

retry-time min 3 max 10 
reconnection 

execute 

exit 

interface serial 0/0 
encapsulation ppp 
profile 0 
physical-layer 

dte 

exit 

modulation vl1-rs530 
exit 

execute 

exit 


The following example illustrates how to activate LFl over a MLPPP E1 link. We want that all PING be 


treated as priority (interleaved packets). 


! Declare an ACL that matches any ICMP echo 
ip access-list extended ping 


permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 


exit 


! Create a policy-map that puts outgoing ‘ICMP echos’ 


! the priority queue 
class-map ping 

match access-group ping 
exit 


policy-map ping l1fi 
class ping 
priority percent 10 
exit 

exit 


virtual-template ppp 1 
ipep static 
ip address 10.10.10.11 
authentication no 
multilink interleave 
multilink fragment-size 250 
multilink header long 
multilink discriminator 1 Q 
multilink max-rcevunit 1524 
execute 
exit 


interface serial 0/0 
physical layer 
g703-704 
ts 1-8 
port-type el 
exit 
exit 
exit 
profile 1 
execute 
service-policy output ping _1fi 
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exit 


4.3.5.4 PPP Server Configuration 


The PPP configuration in server mode is currently restricted to application cases, where PPP sessions are 
tunneled in L2TP by LNS. 


4.3.5.4.1 IPCP Parameters 


If no mode is entered, this feature is disabled and the IP address must then be configured. 


If static mode is selected, the IPCP service, functions in static mode. In this case the IP address must 
be configured and is checked by the remote equipment (the OneOS-based router and the remote device 
must have the same data configured -such as the IP address-). 


If dynamic mode is selected, the IP address is provided via PPP/IPCP to the remote PPP endpoint. 


CLI (config-virt-ppp)> ipep { static | dynamic | no } 
4.3.5.4.2 IP Address 


If dynamic IPCP is used, the local PPP interface will take an IP address from the defined local pool. Two IP 
addresses are thus needed when a new PPP session is established. The following command must be 
entered, if dynamic IPCP was chosen: 


CLI (config-virt-—ppp)> ip address 0.0.0.0 
Instead of having an IP address, the local PPP interface can be unnumbered. The configuration is the 
following: 


CLI (config-virt-—ppp)> ip unnumbered { Loopback <lb-id> | 
Ethernet <slot>/<port>[.<vlan-if>] | 
FastEthernet <slot>/<port>[.<vlan-if>] | 
Atm <intf>.<port> | 
Serial <slot>.<port> } 


The IP address must be set if dynamic IPCP is not used. To enter the IP address, use the following 
command: 


CLI (config-virt-ppp)> ip address <ip_address> 
4.3.5.4.3 IP Address Pool 


If the device is the PPP server, it can set the client IP address by taking an IP address in an address pool. 
The address pool is assigned as follows: 


CLI (config-virt-—ppp)> peer default ip pool <pool-name> 


The pool must have been previously defined in global configuration mode, as follows: 





CLI(configure)> ip local pool <pool-name> <lowest-ip-address> <highest-— 
ip-address> 


4.3.5.4.4 RADIUS Server 


If ‘peer default' is enabled, the PPP authentication is realized through a RADIUS server. For 
authentication, a RADIUS server must be defined in global configuration mode 


CLI (configure)> radius-server <RADIUS-server-ip> [:<RADIUS-UDP-port>] 
<shared-key> 
Example: 


ip local pool ppp _virt3 60.3.1.1 60.3.1.50 
radius-server 192.178.10.43 ip2002 
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virtual-template ppp 4 

ipcp dynamic 

ip unnumbered loopback 2 

mru local 1500 no 
authentication pap 

keepalive 10 

peer default ip pool ppp _virt3 
execute 

exit 


4.3.5.5 | Common Parameters for PPP Client and Server 
4.3.5.5.1 MRU Parameters 
The MRU is set using a command with the following format: 


CLI (pppoa)> mru local <size> { yes | no } { yes | no } 
CLI (pppoa)> mru remote <size> { yes | no } { yes | no } 





This command sets the Maximum Receive Unit (MRU) local/remote length and enables selection of 
negotiation mode. The MRU can have different significations: 


- The remote MRU designates the maximum size of packets received sent in a PPP payload. If the remote 
MRU is less than the IP packet length, the IP layer performs an IP fragmentation (if DF=0, otherwise the 
packet is dropped and an ICMP message indicating the Path MTU is sent back) 


- When using MLPPP, the remote MRU sets the MLPPP fragmentation size. The size of fragments cannot 
be lower than 200 bytes. 


If negotiation request is enabled (yes in first yes-no argument), the MRU length is negotiated with the 
remote PPP peer and is lower or equal to the size value. The negotiation accept (second yes-no 
argument) defines whether the MRU proposed by the remote peer should be accepted. If negotiation is not 
enabled (no in first or second yes-no argument), the maximum datagram length is equal to <size> value. 
At any rate, the length of MRU is lower or equal to 1582 bytes. 


4.3.5.5.2 | Magic Number Negotiation 


magic number is used by the LCP protocol to detect looped-back lines and to check the continuity using 
“echo” frames. 


The magic number may be negotiable: the remote device can choose the number; otherwise (if non- 
negotiable) the CPE selects its own number. 


CLI (config-virt-ppp)> magic number { negociation | not-negotiable} 
4.3.5.5.3 Keep alive Timer 


If the value of <timer> is different from zero, the keep-alive mechanism is enabled. The keep-alive sends 
periodical "echo" frames to prevent disconnection after a long period of PPP inactivity. 


CLI (config-virt-—ppp)> keepalive <timer> 


The 'no keepalive' command disables the mechanism. 
4.3.5.5.4 Reconnection 


It enables automatic reconnection when a PPP session is disconnected. 
CLI (config-virt-—ppp)> reconnection { automatic | datagram } 
‘automatic' forces reconnection after disconnection of the PPP session. 'datagram' forces 


reconnection only when a datagram needs to be forwarded on the interface. 'no reconnection’ 
disables the mechanism. The mechanism is disabled by default. 
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4.3.5.5.5 Retry Timer 


This timer is used by the LCP protocol during the configuration and negotiation phase for connection and 
auto-reconnection. If a BAS is down and up again all routers will attempt to connect to the BAS 
simultaneously, thus flooding the BAS with connection requests. A random timer for session re- 
establishment can prevent several routers from reconnecting at the same time. The configuration must 
provide a minimum and a maximum range for retry timers. The value of the timer is then chosen randomly 
between the values min and max. 


CLI (config-virt-—ppp)> retry-time min <value> max <value> 


4.3.6 PPPoE on Ethernet Uplink 


A PPPoE interface is considered in the configuration as a logical dialer interface. This dialer interface is 
attached to one physical or VLAN interface. The attachment between logical and physical or VLAN 
interface is determined by the dialer pool membership id. The physical or VLAN interface is attached to a 
PPPoE service profile (called bba-group: broadband access group), which in turn is attached to a PPP 
virtual template. 


Dialer (Logical IP Dial-pool-member FastEthernet or 


Interface) <id> VLAN (physical 
PPPoE Interface) 





Bba-group pppoe 
(pppoe service 
profile) 


Virt-template PPP 
(PPP parameters) 





The dialer interface is the IP interface onto which NAT, ACL ... IP services are configured. 
4.3.6.1 Configuration 


First, select the FastEthernet or VLAN interface where the PPPoE service shall be attached: 


CLI> configure terminal 
CLI (configure)> interface fastEthernet <slot>/<port>[.<vlan-if>] 
CLI (config-if)> no ip address 


Then choose an arbitrary bba—group name and an arbitrary dial—pool-number in PPPoE client mode: 


CLI (config-if)> pppoe enable <bba-group-—name> 

CLI (config-if)> pppoe-client dial-pool-number <id> 
CLI (config-if)> exit 

CLI (configure) > 


Then, a PPP virtual template is configured. This template gathers all PPP parameters for the PPPoE 
profile. See section 4.3.5 for details. A typical configuration is the following: 


CLI (configure)> virtual-template ppp <id> 

CLI (config-virt-—ppp)> username <ppp-username> 
CLI (config-virt-ppp)> password <ppp-password> 
CLI (config-virt-—ppp)> ipep dns-accept 

CLI (config-virt-ppp) > execute 

CLI (config-virt-—ppp)> exit 

CLI (configure) > 


The BBA group must be configured. The same bba-group-name must be used as the one under 
interface fastEthernet: 
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LI(configure)> bba-group pppoe <bba-group-—name> 
virtual-template ppp configured previously 

LI (pppoe) > virtual-template <id> 

LI (pppoe)> service-name <sv-—name> 

LI (pppoe)> exit 

LI (configure) > 





aaqaa-a 


service-—name Is usually optional. This is an option in the PPPoE protocol that might be controlled by the 
BAS. If you do not know the service-name, simply do not enter the command because the parameter is 
optional. 


Finally, the PPPoE dialer interface is configured. The same dial—pool-number previously defined under 
interface fastEthernet must be re-used. 





CLI (configure)> interface dialer <id> 

CLI (config-if)> encapsulation ppp 

CLI (config-if)> dialer pool <dial-pool-number> 
CLI (config-if)> exit 

CLI (configure) > 


If you wish to activate NAT, ACL or other IP services, it is done under the ‘interface dialer’ 
configuration mode: 


interface dialer <id> 

ip nat inside overload 

ip nat static-napt 192.168.1.1 21 self 21 
ip access-group myacl in 


CLI (configure) > 
CLI (config-if)> 
CLI (config-if)> 
CLI (config-if)> 


4.3.6.2 Configuration Example 


hostname one100 
ip name-server 127.0.0.1 
policy-map qos 
class class-—default 
fair—queue 
exit 
exit 
interface FastEthernet 1/0 
no ip address 
pppoe enable PPPoE_2 
pppoe-client dial-pool-number 15 
exit 
virtual-template ppp 1 
ipcp dns-accept 
username fti/9tu6kzq 
password ck934kw 
execute 
exit 
bba-group pppoe PPPoE_2 
virtual-template 1 
service-name TEST_PPPOE1 
exit 
ip route 0.0.0.0 0.0.0.0 dialer 0 
interface dialer 0 
encapsulation ppp 
dialer pool 15 
ip tcp adjust-mss 1452 
ip nat inside overload 
ip nat static-napt tcp 192.168.1.1 18080 self 80 
ip nat static-napt tcp 192.168.1.1 21 self 21 
exit 


4.3.6.3 Statistics and Traces 


To display PPP settings: 
CLI> show virtual-template ppp <id> 
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To display PPPoE statistics: 


CLI> show statistics dialer ppp <id> 


To activate PPPoE traces, enter the following command and follow the guidelines: 





CLI> [no] debug pppoe 


To activate PPP traces, enter the following command and follow the guidelines: 


CLI> [no] debug ppp 
4.3.7 ISDN Configuration for Data Services 
4.3.7.1 Service Description 


The OneOS-based routers are optionally equipped with an ISDN interfaces (BRI or PRI). The ISDN 
interface supports the LAPD signaling protocol (Q.921/Q.931) to establish the data channel supporting a 
PPP session. A single BRI interface has two data channels while a single PRI interface has thirty data 
channels. These channels are called B-channels. A PPP session can be established over a B-Channel to 
transport IP traffic. 


B-channels can be bundled using the Multi-Link Point-to-Point Protocol (MLPPP). The MLPPP protocol 
permits the aggregation of several communication channels to operate as a single link; this operation is 
defined by RFC 1990. Using MLPPP data packets are "inverse-multiplexed” over the individual links that 
form the MLPPP link bundle. Latency is reduced by segmented large packets for transmission over the 
MLPPP link bundle. 


The number of links can be increased and reduced dynamically to adapt to the required bandwidth and 
reduce the cost of ISDN dial-up connections. To add and remove links from an MLPPP bundle, the 
following is needed: 


e A decision algorithm to accept/refuse link addition/removal 
e (Optionally) A control protocol for negotiation of link addition/removal 
The control protocol is defined in RFC 2125 and is composed of: 


e The Bandwidth Allocation Protocol (BAP) which (RFC statement) "defines packets, parameters and 
negotiation procedures to allow two endpoints to negotiate gracefully adding and dropping links from a 
multilink bundle". 


e The Bandwidth Allocation Control Protocol (BACP) which is the control protocol for setting up the BAP 
between two hosts communicating with MLPPP. 


When using BAP/BACP, the calling router is the BACP client and the called router is the BACP server. The 
BACP client requests the addition and removal of links to the remote router. This mode is referred to as 
dynamic mode with a dynamic-client and dynamic-server. 


If no control protocol is used, the B-Channels are added and removed by the calling router. This mode is 
referred to as static-boda (Bandwidth On Demand Application). Be aware that both modes are not 
compatible. 


The following behaviors can be configured (both routers must be configured in either static or dynamic 
mode): 


e Calling & called router (Static mode): the number of links in a bundle is defined per configuration. The 
device tries to add all links if they are available. 


e Calling router (mode: static-boda or dynamic-client): the device can measure traffic and undertake to 
change the number of links to adapt to the measured traffic profile. We can define an add threshold 
(e.g. 80 % of the measured outgoing traffic) for adding links in a bundle. The measured traffic is a 
sliding average. Example: If N is the number of used links (64 kbps), if the emitted traffic exceeds (A% 
+ (N-1)) * 64 kbps, the router tries to add a B-channel. For dropping a link, if the emitted traffic is 
measured as lower than (D% + (N-1)) * 64 kbps, the link is removed. In static-boda mode, the router 
tries to add a link as long as the measured traffic is high enough and the addition is not successful. 
The dynamic server can add links as long as: 


e The number of links does not exceed the number of available physical links locally and 
remotely. 


e The number of used links does not exceed the configured maximum number of links for this 
MLPPP bundle. 


Page 4.3-200 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


e The remote end (dynamic client) does not refuse the addition of a link to a bundle. Note: a 
dynamic MLPPP client can also refuse to drop links in this mode. 


Called router (mode: static-boda or dynamic-client): if the device receives a request to add/drop a link, 
it does not decline the request. Exception: The device can add links if available and up to a maximum 
number defined per configuration. 


Several operating modes are possible for ISDN interface: 


Backup: when the main link fails (e.g. DSL), data are routed over the ISDN interface. Therefore, the 
ISDN interface is not used in normal working conditions. The ISDN interface is set up on demand, 
when traffic needs to be sent and no main link is operational. 


Dial-Out Access: the OneOS-based router uses the ISDN port as uplink. The access is then either 
permanent or dynamically set up when a datagram must be sent. 


Dial-In Access: the OneOS-based router is accessed by a remote device. The feature is useful for 
remote management purposes. 


Bi-directional Access: the interface can call or be called. 


PPPoA Call Back: the OneOS-based router cannot be "waked up" through the DSL uplink. The 
OneOS-based router receives a call setup request. Then, the ISDN call-back feature is used to 
reactivate the PPPoA session and the ISDN communication is not established (no B-channel is set 


up). 


The operating modes provided above can be configured concurrently. Each of the operating modes can be 
configured several times with different parameters to allow several calling/called numbers. However, the 
services are limited by the number of B-channels. For example, one can configure Dial-Out, Dial-In and 
Backup accesses on a BRI interface. If the dial-out and the dial-in communication are set up, there is no B- 
channel left available for the backup. 


For dial-on-demand connection, dialer-groups can be defined. They are a set of filtering rules that allows 
only certain applications to open the ISDN connection (e.g. LAN traffic, telnet) while others do not 
(example: SNTP, SNMP). 


The configuration steps are the following: 


1. 
2. 
3. 


4.3.7.2 


4.3.7.2.1 


ISDN Signaling Configuration (LAPD, protocol D) 
HDLC Configuration of the B-Channels 
ISDN Service Configuration: Dial in and/or Dial and/or backup and/or PPP call back 


Configuration 


ISDN Signaling Configuration 


To start the ISDN configuration, the user must enter into the configuration mode using the command: 


CLI> configure terminal 


To create/enter the ISDN configuration, the next command is used: 


CLI (configure)> interface { bri | pri } <slot-number>/<port-number> 


The slot-number parameter is the physical slot of the ISDN interface and port-number is the physical 
port. See below the detailed numbering of ISDN slots and ports. 























Router Slot Port Number 
Single SO ISDN daughter board (ONE60/200) 2 0 
Other OneOS-based router ISDN interfaces 5 0..7-8..11 (note) 





Note: depending on the total number of available ISDN ports 
To disable the ISDN signaling, use the no interface bri <slot>/<port> command. 
Prior to any change in the ISDN configuration, the ISDN interface must be shutdown. 

CLI (config-if)> shutdown 


Some parameters can be set in the ISDN signaling layer. The ISDN configuration mode is entered by 
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entering the following command: 


CLI (config-if)> isdn 


The maximum number of B-channels handled by the ISDN interface is configured: 





CLI(isdn)> max channels <number> 


When using SO daughter board on the ONE60, the number is always 2. 
For compatibility with BLES/VMOA (VoATM), the application type must be defined: 
CLI(isdn)> application-interface { voip | voatm | data } 
For data services, data must be used. The default value is data on the SO interface of the ONE60 
(voatm on voice modules of the ONE200). 
To define the NT or TE mode in ISDN, the next commands are used: 
CLI (isdn)> protocol-emulation { isdn-te | isdn-nt | qsig } 
CLI(isdn)> layerl-emulation { nt | te } 
CLI(isdn)> layer2-emulation { nt | te } 
By default, the TEI selection mode is dynamic (recommended) and the associated command is: 


CLI (isdn)> tei-negociation dynamic 


If the TEI negotiation is static, the commands are: 
CLI (isdn)> tei-negociation static 
CLI(isdn)> static <0..63> 


Some ISDN counters and timer can be set (for experts), for example: 


CLI (isdn)> modulo-window { 8 | 128 } 
CLI (isdn)> k-window <1..128> 


Default values are: K window = 7, modulo window = 128. 
Then the ISDN signaling must be re-enabled using this command: 


CLI(isdn)> exit 
CLI (config-if)> no shutdown 


4.3.7.2.2 PRI Interface 
If a PRI interface is used, it must be enabled by entering the following commands, which allows specifying 
several parameters for the physical level. 


Commands for enabling an E1 interface: 


CLI (configure)> interface pri 5/0 
CLI (config-if)> physical-interface El 
CLI (config-if)> linecode hdb3 


Main parameters: 


CLI (config-if)> physical-interface { El | Tl } 


Specify the interface type of voice interface as E1 or T1 (default: E1): 
CLI (config-if)> framing { none | df | mf | emf | sf | esf | auto-detect } 
To specify the framing type: 
e none: no framing. Only used for CES / unstructured mode 
e df: double frame, no CRC4 (for E1 only) (default value) 
e mf: multiframe (CRC4) (for E1 only) 
e emf: extended multiframe (CRC4) (for E1 only) 


e sf: super-frame (for T1 only) 
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e esf: extended super frame (for T1 only) 


e auto-detect: used to find automatically ISDN PRI framing by trying all possible detections. This 
behavior can be set when the configuration of remote side is unknown. An event containing the 
correct framing is generated when layer-1 is activated. 


Specify the physical line coding to be used ami, hdb3, bz8s (default: hdb3): 

CLI (config-if)> linecode { ami | hdb3 | b8zs } 
The interface must be shut down if a physical parameter has to be modified. The interface is re-activated 
with the command no shutdown. 


CLI (config-if)> [no] shutdown 
4.3.7.2.3 B-Channel Configuration 


Usually, the next commands are not needed since the default values are generally appropriate. If some 
parameters need to be changed though, the user must enter in interface configuration mode: 


CLI (configure)> interface { bri | pri } <slot-number>/<port-number> 
The HDLC Activity Timer AT is the timer supervising the proper working of the HDLC interface. The HDLC 


interface is checked N times (N=HDLC count). If the timer expires N times before no HDLC flag is 
received, the interface is considered as faulty. To set the HDLC activity timer, use the next command: 


CLI (config-if)> activity hdlc timer <1..500> 
The value is provided in 10th of seconds. The default value is 36. To set the HDLC count, use the next 
command: 


CLI (config-if)> activity hdlc count <1..250> 


The default value is 1. The inactivity b-channel timer is a timer supervising B channel inactivity. If 
no traffic is used on the B channel, the B channel is disconnected after the defined timer length. The 
command is: 


CLI (config-if)> inactivity b-channel <0..3600> 


The default value is 120. The value is provided in seconds. To apply the changes: 


CLI (config-if)> execute 
CLI (config-if)> exit 


4.3.7.3. ISDN Service Configuration 
4.3.7.3.1 Direct ISDN Dial Out 


The Dial-Out mode permits the OneOS-based router to call a NAS or a router. If the OneOS-based router 
has routes with different metrics, the Dial Out can be used to trigger the interface as an ISDN backup. To 
configure an ISDN connection initiated by the OneOS-based device, the user must first select an arbitrary 
connection number; the command is: 


CLI (configure)> interface isdn-dialer <slot-number>/ 


<port-—number>.<connection-id> 


connection-id is an identifier, ranging from 0 to 255, which the user can choose freely. The table below 
indicates how slots are numbered on the router interfaces: 























Router Slot Port Number 
Single SO ISDN daughter board (ONE60/200) 2 0 
Other OneOS-based router interfaces 5 0..7-8..11(note) 





Note: depending on the total number of available ISDN ports 


To enable outgoing calls, use the next command: 
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CLI (config-if)> outgoing call [<name>] 


To disable outgoing calls, use the no outgoing call [<name>] command. name is arbitrary and 
optional. It designates the name of the connection such as paris or central-site for easier reading of 
the configuration. The called E.164 number must be entered: 


CLI (out-call)> address <E.164-number> 





Optionally, a callback number can be configured. When the calling number of an incoming call matches the 
callback number, the router refuses this call but rather dials the outgoing address number. 


CLI (out-call)> callback-address <E.164-number> 





If MLPPP is used, the MLPPP bundle must be created and identified by an arbitrary identifier ranging from 
0 to 32. 


CLI (out-call)> mlppp <mlppp-id> 


The CLI enters in MLPPP configuration mode and some parameters can be entered: 


CLI (out-call-mlppp)> connection {static | static-boda | dynamic-server | 
dynamic-client} 





CLI (out-call-mlppp)> max-link <1..30> 

CLI (out-call-mlppp)> header { short | long } 
CLI (out-call-mlppp) > max-rev-unit <40..4000> 
CLI (out-call-mlppp)> exit 


The connection command indicates if and how the bandwidth on demand feature is activated (see 
4.3.7.1): 


e static: indicates that the number of links in the MLPPP bundle is fixed. Therefore, the device will try 
to set up all links when initiating the MLPPP bundle. 


e static-boda: the router measures the traffic and uses the default boda value to add and drop links. 
( (80% + N —1)*64 kbps, confirmation window to add: 5 sec, to remove: 1 sec) 


e dynamic-client: the device measures bandwidth usage and add/drop links according to the 
measurements. 


e dynamic-server: the device does not measure traffic. 


The max-link command defines the maximum number of links allowed in the bundle. As the MLPPP is 
only allowed on a physical interface, the maximum value is 2 for a SO port and 30 for a S2 port. Default: 
max-link = 1. 


The header is an option of MLPPP for MLPPP headers (indicates the length of sequence numbers). 
The max-rcv-unit command is the number of bytes of the reassembled MLPPP payload. 


Then, the PPP configuration must be selected. This is done by entering the corresponding PPP virtual 
template identifier (a number ranging from 0 to 255): 


CLI (out-call)> encapsulation ppp 

CLI (out-call)> profile <virtual-template-id> 
CLI (out-call)> exit 

CLI (out-call)> execute 

CLI (out-call)> exit 

CLI (config-if)> 


The commands can be repeated several times to allow calling different addresses. 
4.3.7.3.2 Dial In (OneOS-based router being called) 


The next paragraph describes the configuration steps required to allow a remote equipment to dial in the 
OneOS-based device. To configure the OneOS-based device to accept and establish a call initiated by a 
remote host, the user must first select an arbitrary connection number; the command is: 


CLI (configure)> interface isdn-dialer <slot-number>/ 
<port-number>.<connection-id> 
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Connection-id is an identifier, ranging from 0 to 255, which the user can choose freely. The table in 
4.3.7.3.1 indicates how slots are numbered on the router interfaces. 


To enable incoming calls, use the next command: 


CLI (config-if)> incoming call [<name>] 


To disable the incoming call, use the no incoming call [<name>] command. name is arbitrary and 
optional. The calling E.164 number must be entered: 


CLI(in-call)> address <E.164-number> 





If MLPPP is used, the MLPPP bundle must be created and identified by an arbitrary identifier ranging from 
0 to 32. 


CLI(in-call)> mlppp <mlppp-id> 


The CLI enters in MLPPP configuration mode and some parameters can be entered: 


CLI (in-call-mlppp)> connection { static | static-boda | dynamic-server | 
dynamic-client } 





CLI (in-call-mlppp)> max-link <1..30> 

CLI (in-call-mlppp)> header { short | long } 
CLI (in-call-mlppp)> max-rev-unit <40..4000> 
CLI (in-call-mlppp)> exit 


The connection command indicates if and how the bandwidth on demand feature is activated (see 
4.3.7.1): 


e static: indicates that the number of links in the MLPPP bundle is fixed. Therefore, the device will try 
to set up all links when initiating the MLPPP bundle. 


e static-boda: the router measures the traffic and uses the default boda value to add and drop links. 
( (80% + N —1)*64 kbps, confirmation window to add: 5 sec, to remove: 1 sec) 


e dynamic-client: the device measures bandwidth usage and add/drop links according to the 
measurements. 


e dynamic-server: the device does not measure traffic. 


The max-link command defines the maximum number of links allowed in the bundle. As the MLPPP is 
only allowed on a physical interface, the maximum value is 2 for an SO port and 30 for an S2 port. Default: 
max-link = 1. 


The header is an option of MLPPP for MLPPP headers (indicates the length of sequence numbers). 
The max-rcev-unit command is the number of bytes of the reassembled MLPPP payload. 


Then, the PPP configuration must be selected. This is done by entering the corresponding PPP virtual 
template identifier (a number ranging from 0 to 255): 


CLI (in-call)> encapsulation ppp 
CLI(in-call)> profile <virtual-template-id> 
CLI(in-call)> exit 

CLI (in-call)> execute 

CLI (in-call)> exit 

CLI (config-if)> 


The commands can be repeated several times to allow several different callers. 
4.3.7.3.3 _ Bi-Directional Calls 
To configure the OneOS-based router for an interface enabling incoming and outgoing calls, the user must 


first select an arbitrary connection number; the command is: 


CLI (configure)> interface isdn-dialer <slot-number>/ 
<port-—number>.<connection-id> 
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connection-id is an identifier, ranging from 0 to 255, which the user can choose freely. The table in 
4.3.7.3.1 indicates how slots are numbered on the router interfaces. 


To enable incoming calls, use the next command: 


CLI (config-if)> both-way call [<name>] 


To disable the incoming call, use the 'no both-way call [<name>] ' command. <name> is arbitrary 
and optional. The following E.164 numbers must be configured: 


e The caller address. The caller is authenticated using this number. 
e The called address in case of outgoing call. 


Optionally, a callback number can be configured. When the caller number of an incoming call matches the 
callback number, the router refuses this call but rather dials the ‘outgoing address’ number. 


It is entered so: 


CLI (bo-call)> callback-address <! 
CLI (bo-call)> address incoming <! 
CLI (bo-call)> address outgoing <! 


.164-number> 
.164-number> [secondary] 
.164-number> [secondary] 








El go 


If the value of <E.164-number> for incoming call is ’*’, the access control is disabled. 


The other parameters are the same as those for the preceding section, except for bandwidth on demand 
parameters. Thresholds and confirmation windows define how links must be added or removed: 


e A link is added if the measured inbound or outbound traffic is beyond the addition threshold. A link is 
removed if the measured inbound and outbound traffics are under the removal threshold. 


e Thresholds: let us note a threshold T% (percentage). A sliding average of the in/out-bound traffic is 
calculated. To allow a link add, the measured traffic must be beyond (T% + (N-1)) x 64 kbps, where N 
is the number of currently open B-channels. To allow a link drop, the measured traffic must be under 
(T% + (N-2)) x 64 kbps. 


e Confirmation Window (noted W): to avoid link flapping, a confirmation window is used. The threshold 
condition must be valid for W seconds to trigger the link add/drop. 


To configure the number of outgoing call attempts and delay between attempts, use the next command: 


CLI (bo-call)> call-retry <retry-number> [<seconds>] 


By default, the number of retries is 0 and the delay is 5 sec. 
The parameters are configured under MLPPP: 


CLI (bo-call)> mlppp <id> 
CLI (bo-call-mlppp) > bw-on-demand {inbound | outbound} {add | remove} 
threshold <percent> [ window <seconds>] 


Default values: add/remove threshold = 80 %, add window = 5 sec, remove window = 2 sec. 
To monitor the traffic in only one direction use the next command: 


CLI (bo-call-mlppp) > bw-on-demand {inbound | outbound} no 


To restore default boda parameters: 


CLI (bo-call-mlppp) > bw-on-demand default 


All parameters are taken into account after entering the execute command. 


4.3.7.4 Configuration and Statistics 


Note that the following commands are common to PPP and MLPPP. However, some MLPPP specific 
parameters are displayed when the connection uses MLPPP. 


To display the BRI interface configuration, use: 


Page 4.3-206 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


CLI> show configuration interface isdn 


To display statistics for the ISDN service: 


CLI> show statistics isdn services 


To display PPP statistics, only for the ISDN interface: 


4.3.7.5 


CLI> show statistics isdn { ppp | mlppp } 


To display IP interface statistics: 





CLI> show interfaces 


Debug and Traces 


You can place a fake ISDN call to verify the ISDN connection. The next command calls the given ISDN 
number with an ‘Unrestricted Data’ Bearer Capability (meaning it is a data call not a voice call). If the call is 
setup, it means the called party accepts data call and has eventually authenticated the calling number. 
After successful call setup, the call is then interrupted. 


CLI> isdn test call <el64-nbr> 
It is possible to display all the ISDN protocol messages exchanged between the OneOS-based router and 
the ISDN terminal. Such traces rely on the generic logging function (cf. 3.11.4). 
Enter the following command: 
CLI> [no] debug isdn { 5/<0..7> | 2/0 | all } [ layer { 1 | 2 | 3 | 1&2 | 
2&3 | 1to3 } ] 


The first command argument is the ISDN port(s), whose ISDN messages will be logged. The second 
argument is the monitored ISDN layers (1: physical, 2: LAPD, 3: call control and other ISDN applicative 
messages). 


To display PPP/MLPPP traces: 
CLI> [no] debug ppp 


To display all WAN traces: 


CLI> event filter add wan all show 


To deactivate the WAN traces: 


CLI> event filter remove all 


4.3.7.6 Examples 


Example of ISDN configuration: 


configure terminal 
interface bri 2/0 
inactivity b-channel 5 
activity hdlc timer 6 
activity hdlc count 10 
isdn 

exit 

no shutdown 

execute 

exit 


Example of a Dial-in access: 


configure terminal 
interface isdn-dialer 2/0.1 
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incoming call management-site 
address 0102030405060708 
encapsulation ppp 

profile 0 

exit 

execute 

exit 


Example of ATM interface backup: 


configure terminal 
interface atm 0 
backup bri 2/0.6 
address 384000 
encapsulation ppp 
profile 0 

execute 

exit 

exit 


virtual-template ppp 0 

ipep static 

ip address 20.0.0.1 

mru local 1500 no 

mru remote 1500 no 

magic number not-—negotiable 
authentication no 

execute 

exit 


Example of MLPPP Connection over ISDN SO (Outgoing Call): 


configure terminal 
interface bri 2/0 
no shutdown 
execute 

exit 


virtual-template ppp 5 
ipep static 

ip address 20.0.0.4 
mru local 1500 no 

mru remote 1500 no 
magic number not-—negotiable 
authentication no 
reconnection datagram 
execute 

exit 

interface isdn-dialer 2/0.5 
outgoing call 

mlppp 0 

connection static 
descriminator 1 toto 
max-link 2 

max-revunit 4000 
header long 

exit 

address 2022024625 
encapsulation ppp 
profile 5 

exit 

execute 

exit 

exit 


Example of MLPPP Connection over ISDN SO (Incoming Call): 
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configure terminal 
interface bri 2/0 
no shutdown 
execute 

exit 


virtual-template ppp 1 
ipep static 

ip address 20.0.0.1 
mru local 1500 no 

mru remote 1500 no 
authentication no 
execute 

exit 


interface isdn-dialer 2/0.5 
incoming call 
address 1012024612 
mlppp 0 

connection static 
max-link 2 
max-rcevunit 4000 
header long 

exit 

encapsulation ppp 
profile 1 

exit 

execute 

exit 

exit 


Callback example: 


configure terminal 

interface isdn-dialer 5/0.1 
inactivity b-channel 0 
both-way call 
address-outgoing 2123456789 


address-outgoing 1123456789 secondary 


callback-address 2123456789 
profile 1 
call-retry 2 
mlppp 0 
connection static-—boda 
discriminator 1 ZWRS 
header long 
max-link 16 
exit 
exit 
execute 
dialer-group idle-timeout 20 
service-policy output LFIS 
exit 
interface bri 5/0 
isdn 
application-interface data 
exit 
no shutdown 
exit 


4.3.8 Configuration of PSTN Modem 


4.3.8.1 


Service Description 


The ONE60/100/200 products can be equipped with an optional analog modem. The modem enables a 
dial-up connection for backup of IP services. 
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The same backup types as for ISDN are provided: 


1) Multipath backup routing: 2 routes must be configured. The main route has a metric that is lower than 
the metric going through the PSTN modem interface. When the main route is not available, the router 
sends packets through the analog modem interface. The PPP connection over the PSTN is set-up 
dynamically and the connection is released after an inactivity period. This inactivity period is due to the fact 
that there is either no traffic or the traffic is routed on the main route again (main link has become up 
again). 


2) Interface backup: the serial interface/ATM PVC has configured so that the modem connection is set-up 
dynamically when the main interface is down. The modem connection is released when the main interface 
is up again. 


4.3.8.2 Configuration 


The configuration steps are the following: 
1. Enable the modem interface and optionally set physical parameters. 
2. Select whether the interface shall be using multipath or interface backup routing. 


3. Set modem link parameters. These parameters are common to both backup modes. 
4.3.8.2.1 Physical Interface Parameters 


To enable the PSTN modem, enter in PSTN configuration mode from the ‘configuration terminal’: 


CLI(configure)> [no] interface pstn 2/0 


You may wish to change some parameters of the physical modem layer. To do so, enter in physical layer 
configuration as follows: 


CLI (config-if)> physical-layer 


The maximum physical-layer transmit unit (MTU) can be set in bytes (default: 1500) as follows: 





CLI (physical-layer)> mtu <1..1500> 


By default, the modem is disconnected even if there is no traffic. To configure the inactivity period, use the 
following command to set the inactivity timer (in seconds) after which the modem is disconnected 
(0 means no inactivity timer): 


CLI (physical-layer)> channel inactivity timer <0..3600> 


You can change the dialing type (default: tone dialing): 





CLI (physical-layer)> modem { pulse-dial | tone-dial } 


The country can be changed (default: France): 











CLI (physical-layer)> country { FRANCE | ITALY | SPAIN | GERMANY | UNITED- 
KINGDOM } 


It is possible to configure the ringing burst number received before answering an incoming call (default: 
1 ring). The parameter is set under physical PSTN interface. It is used by the PSTN incoming call service 
as far as it is created (i.e. as far as the modem is set to accept the call). 


To modify the value, the incoming call service must be removed and re-created. 
CLI (physical-layer) > modem ring-nbr-to-answer <n> 
To finish the interface configuration, enter the following commands: 
CLI (physical-layer)> exit 
CLI (config-if)> execute 
CLI (config-if)> exit 


4.3.8.2.2 Interface Backup Routing 


First select the interface, which must be backed up: 
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CLI (configure)> interface { atm 0.<id> | serial 0.<id> } 
CLI (config-if)> 





Then enable the PSTN backup: 
CLI (config-if)> [no] backup pstn 2/0.<id> 


<id> is an arbitrary number ranging from 1 to 32. 


The next parameters to be configured are in 4.3.8.2.4 Common Link Parameters. 


4.3.8.2.3 Multipath Backup Routing 


From the global configuration terminal, enter the following commands: 
CLI (configure)> interface pstn 2/0.<id> 
CLI (config-if)> [no] outgoing-call [<name>] 
CLI (out-call)> 
<id> is an arbitrary number ranging from 1 to 32. 
The next parameters to be configured are in 4.3.8.2.4 Common Link Parameters. 


Do not forget that a route with an appropriate metric must exist to allow multi-path routing. 


4.3.8.2.4 Common Link Parameters 


To ease the reading of the configuration, you can enter an interface name as follows: 


CLI (out-call)> sub-interface <name> 


The called address must be entered: 


CLI (out-call)> address <E.164> 





By default, the encapsulation is PPP and is set as PPP as follows: 





CLI (out-call)> encapsulation PPP 


To apply PPP parameters to this connection, a profile number is attached. The profile corresponds to a 
virtual PPP template, which must have been previously defined. To attach the profile number (default: 0), 
use the following command: 


CLI (out-call)> profile <0..32> 


Some modem parameters can be set when entering in modem configuration mode: 


CLI (out-call)> modem 


The modem modulation can be forced: 





CLI (out-call-—modem)> modulation { V90 | NEGOTIATE | V22B } 


Default: 'Negotiate’. The modem compression can be selected: 


CLI (out-call-modem)> compression { NONE | V42B | V44 } 


Default: v44. The error correction scheme might be forced: 





CLI (out-call-modem)> error-correction { NONE | V42 | MNP | LAPM} 


Default: v42. The modem fallback can be disabled (default: enabled). The modem fallback permits the use 
of more robust modulation in case of poor quality line. The command is: 


CLI (out-call-modem)> fallback { enable | disable } 


You can also customize the Hayes command: 
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CLI (out-call-modem)> [no] customization <at-—command-string> 


Then enter 2 times 'exit', then the 'execute' command and 'exit' again. 
4.3.8.3 Statistics and Traces 


You can place a fake call to verify the connection. The next command calls the given number. If the call is 
setup, it means the called party has synchronized the modem. After successful call setup, the call is 
immediately interrupted. 


CLI> pstn test call <e164-nbr> <slot>/<port>.<sub-interface> 


To monitor the statistics of the PSTN connection: 


CLI> show statistics pstn ppp 


To monitor the statistics of the PSTN backup service: 


CLI> show statistics pstn service 


To obtain traces of the PSTN dial-up connection: 





CLI> trace filter add wan dial pstn 1 show 


As of V3.7R11 software release the above command is deprecated and is replaced by: 


CLI> debug pstn 2 
CLI> debug dialup 2 


4.3.8.4 Example 


A router makes an outgoing call that backs up a main connection over ADSL. The ADSL connection is 
identified by the ATM PVC interface 0.1. 


! PSTN interface declaration 

! Enable shutdown of the connection after 
! 20 s of inactivity 

interface pstn 2/0 

physical-layer 

channel inactivty timer 20 

exit 

execute 

exit 


! PPP virtual template for the PSTN connection 
virtual-template ppp 1 

ipcep dynamic 

authentication chap/pap 

username me 

password ***xx** 

reconnection datagram 

execute 

exit 


interface atm 0.1 

! Enter here the interface parameters 
! like 'pvc pppoa ...' 

backup pstn 2/0.1 

address 1234 

profile 1 

execute 

exit 

exit 


! Declare default routes then backup routes 


ip route 0.0.0.0 0.0.0.0 atm 0.1 
ip route 0.0.0.0 0.0.0.0 pstn 2/0.1 2 
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4.3.9 Internal EDGE/GPRS Modem 


This section applies to the products ONECell25, ONECell35 (working as EDGE/GPRS modem) and 
ONE20/100 (equipped with an internal EDGE/GPRS module). 


4.3.9.1 PIN Code 


The internal modem requires a SIM card to be present to operate. At first modem installation, the PIN code 
must be installed. For security sake, the SIM code is not shown by the show running-config 
command. The PIN code is saved in encrypted form in a special file of the router flash file system. 


The OneOS-based router gives the PIN code once; if the PIN code is incorrect, the product expects that 
the user enters another PIN code. If the user entered a series of (usually 3) wrong PIN codes, the SIM 
card is blocked by the GSM network. In that case, the user must contact the GSM provider to get a Pin 
code Unblocking Key (PUk). 


The following commands are available from the CLI root. First, make sure that the SIM card is properly 
installed and detected by the system. 




















CLI> show edge-modem equipment 
Edge Modem Information 
anufacturer identification : Enfora, Inc. 
Equipment information : Enabler-II E Modem 
Revision identification : S/W v0.2.1 
Equipment information (IMEI) > 01065600070006 
Firmware Package Version > «44 
PIN status : PIN code is not blocked (counter=3) 
SIM card status : SIM card is present 
GPRS and EGPRS classes : 10,10 





Counter=3 indicates the number of remaining attempts to enter a correct PIN code. 
PIN code installation of (an unblocked) SIM card is done with the next command: 


CLI> edge-modem pin-code install <pin-code> <confirm-pin-code> 


If the PIN code was successfully installed once, it can be changed as follows: 





CLI> edge-modem pin-code change <old-pin-code> <pin-code> <confirm-pin- 
code> 


To unblock a SIM card, ask the GSM provider for a temporary PIN code (PUK, usually an 8-digit PIN code) 
and specify the new PIN code: 


CLI> edge-modem pin-code unblock <puk> <pin-code> <confirm-—pin-code> 
4.3.9.2 Configuring GPRS/EDGE Connection 


Foreword: there is no parameter to select EDGE or GPRS modulations. The network forces the modem to 
behave in the mode authorized by the network. Upstream and downstream bandwidth may not be steady 
as it depends on radio link quality and bandwidth allocation by the network. As the modem type is multi- 
class slot 10, the peak download throughput is 236 kbps and peak upload is 118 kbps. 


The GSM provider usually gives the following parameters to setup GPRS/EDGE connection: an APN 
(Access Point Name), a username and password. This section explains where these parameters are 
entered. 


First, configure a PPP virtual-template (see 4.3.5 for more information). Some parameters MUST have 
certain value to operate the EDGE/GPRS connection: 


e Authentication: PAP (use the username and password provided by your GPRS network operator). 
e Magic number: not-negotiated 


CLI (configure)> virtual-template ppp <1-32> 
! next command is optional: to learn DNS server from network 
CLI (config-virt-—ppp)> ipep dns-accept 
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CLI (config-virt-—ppp) > autentication pap 

CLI (config-virt-ppp) > username <username> 

CLI (config-virt-—ppp)> password <password> 

CLI (config-virt-—ppp)> magic number not-negotiable 
CLI (config-virt-—ppp)> reconnection {auto | datagram} 
CLI (config-virt-ppp) > execute 

CLI (config-virt-ppp) > exit 

CLI (configure) > 





Sometimes, the username and password parameters are empty. To enter an empty username / password, 
use the command: 


wi 


CLI (config-virt-—ppp)> username 
CLI (config-virt—ppp)> password “” 





If reconnection datagram is selected, the connection is established only if IP packets have been 
routed to that interface. In case of link inactivity, the EDGE connection is disconnected. This mode is 
managed by the dialer-group function. If reconnection auto is selected, the EDGE interface is 
permanently connected (and reconnected automatically in case of loss of connectivity). The EDGE 
interface can be forced down as long as another interface or IP route is up. This mode is managed by the 
dialer-watch function. To learn more about dialer-group and dialer-watch, consult the section 4.3.13. 


The registration is first done at the GSM level then at the GPRS/EDGE level. Two registration failures are 
taken into account: lack of registration at start-up (power-up or reset) and lost of the registration (after a 
successful registration). For both cases a command line allows to set the time after witch a reset command 
(ATSRESET) is sent to the modem. An optional parameter allows choosing one registration or the other or 
both. 














To reset the modem after some minutes of lack of registration at start-up use the following command. The 
default behavior is 'power-on-registration reset after 15 GSM-or-GPRS'. Use 'default 
power-on-registration reset’ to return to the default behavior. 


CLI (out-call-edge)> [no] power-on-registration reset after <minutes> 
[GSM-only | GPRS-only | GSM-or-GPRS] 


To reset the modem after some minutes of lost of registration use the following command. The default 
behavior is 'loss-of-registration reset after 5 GSM-or-GPRS'. Use ‘default loss-of- 
registration reset' to return to the default behavior. 


CLI (out-call-edge)> [no] loss-of-registration reset after <minutes> 
[GSM-only | GPRS-only | GSM-or-GPRS] 


To avoid a modem lock when there is no traffic at all, it is possible to disconnect the call when there is no 
traffic either in both directions or only in the receiving direction. For both cases a command line allows to 
set the time after witch the call is disconnected. It will be reconnected depending on the reconnection 
parameter of the virtual-template PPP. 


To disconnect the call after some minutes without traffic in both directions use the following command. The 
default behavior is 'disconnect-timeout on-no-traffic after 240' (4 hours). 





CLI (out-call)> [no] disconnect-timeout on-no-traffic after <minutes> 


To disconnect the call after some minutes without response traffic use the following command. The default 
behavior is 'disconnect-timeout on-no-response after 5’. 





CLI (out-call)> [no] disconnect-timeout on-no-response after <minutes> 


To configure the logical IP interface of the modem, create a PSTN interface: 


CLI (configure)> interface pstn 2/0.<1-255> 
CLI (config-if)> outgoing-call 

! <gprs-service-nbr> is usually *99***1# 
CLI (out-call)> address <gprs-service-nbr> 
! PPP virtual template 

CLI (out-call)> profile <virt-—ppp-profile> 
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4.3.9.3 Configuration Examples 


Simple Always-On Internet Connection over EDGE: 


interface bvi 1 


ip address 192.168.1.1 255.255.255.0 


bridge-group 1 
exit 
interface fastEthernet 0/0 
no ip address 
bridge-group 1 
exit 
interface fastEthernet 1/0 
no ip address 
bridge-group 1 
exit 
dialer watch- 
virtual-template ppp 1 
ipcp dns-accept 
authentication pap 
username orange 
password orange 
magic number not-—negotiable 
reconnection auto 
execute 
exit 
interface pstn 2/0.1 
outgoing-call 
address *99***1# 
profile 1 
exit 
execute 
ip nat inside overload 
exit 


ip route 0.0.0.0 0.0.0.0 Pstn 2/0.1 


ip dns-proxy dns-server learn 
ip name-server 127.0.0.1 
ip dhcp pool CLIENT_LAN 


network range 192.168.1.2 192.168.1.254 


default-router 192.168.1.1 
dns-server 192.168.1.1 
exit 

exit 


EDGE Interface started only if an interface is down 


interface dialer 0 

! PPPoE configuration 

! 

exit 

dialer watch-list watchpppoe 
interface dialer 0 

exit 

virtual-template ppp 1 

ipcp dns-accept 
authentication pap 


CLI (out-call)> disconnect-timeout on-no-traffic after <minutes> 

CLI (out-call)> disconnect-timeout on-no-response after <minutes> 

CLI (out-call)> edge-modem 

CLI (out-call-edge) > access—point-—name <apn> 

CLI (out-call-edge) > power-on-registration reset after <min> GSM-or—GPRS 
CLI (out-call-edge) > loss-of-registration reset after <minutes> 

CLI (out-call-edge)> exit 

CLI (out-call)> exit 

CLI (config-if)> execute 

CLI (config-if)> exit 
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username orange 
password orange 
magic number not-—negotiable 
reconnection auto 
execute 
exit 
interface pstn 2/0.1 
outgoing-call 
address *99***1# 
profile 1 
exit 
execute 
ip nat inside overload 
dialer watch-group watchpppoe 


exit 
ip route 0.0.0.0 0.0.0.0 dialer 0 
ip route 0.0.0.0 0.0.0.0 Pstn 2/0.1 200 


4.3.9.4 Statistics and Troubleshooting 


To show information about the EDGE module: 


CLI> show edge-modem equipment 


To display information about the radio network: 


CLI> show edge-modem network 


To display the AT commands passed by the router to modem: 
CLI> debug dialup <level: 1-4> 


4.3.10 Internal UMTS Modem 


This section applies to the product ONECell35. 


Note: most of the commands are similar to the ones of the internal EDGE/GPRS modem of the 
ONECell25 product. Refer to them if more explanations are needed (mind to replace the edge- 
modem command by the cellular-radio command). 


4.3.10.1 PIN Code 


The internal modem requires a SIM card to be present to operate. At first modem installation, the PIN code 
must be installed. For security sake, the SIM code is not shown by the show running-config 
command. The PIN code is saved in encrypted form in a special file of the router flash file system. 


The ONECell35 gives the PIN code once; if the PIN code is incorrect, the product expects that the user 
enters another PIN code. If the user entered a series of (usually 3) wrong PIN codes, the SIM card is 
blocked by the UMTS network. In that case, the user must contact the UMTS provider to get a Pin code 
Unblocking Key (PUk). 


The following commands are available from the CLI root. First, make sure that the SIM card is properly 
installed and detected by the system. 


CLI> show cellular-radio equipment 
Cellular Radio Modem Information 





anufacturer identification : Sierra Wireless, Inc. 
Equipment information : MC8785V 
Revision identification : J0O_O_4_ IAP ... 
Equipment information (IMEI) : 351532020030976 





SIM Card Information 
SIM card status : SIM card is present 
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SIM International Mobile Subscriber Identity IMSI : 208101384000299 
Integrated Circuit Card ID > 98330131705364604060 


PIN Information 
PIN code status : entered OK 


PIN code installation of (an unblocked) SIM card is done with the next command: 


CLI> cellular-radio pin-code install <pin-code> <confirm-—pin-—code> 


If the PIN code was successfully installed once, it can be changed as follows: 





CLI> cellular-radio pin-code change <old-pin-code> <pin-code> <confirm-— 
pin-code> 


The current PIN code can be uninstalled with the next command: 


CLI> cellular-radio pin-code uninstall 


To unblock a SIM card, ask the UMTS provider for a temporary PIN code (PUK, usually an 8-digit PIN 
code) and specify the new PIN code: 


CLI> cellular-radio pin-code unblock <puk> <pin-code> <confirm—pin-code> 
4.3.10.2 Configuring UMTS Connection 


Foreword: the UMTS modem is also able to work as an EDGE/GPRS modem. 


Upstream and downstream bandwidths may not be steady as they depend on radio link quality and 
bandwidth allocation by the network. In UMTS mode the peak download throughput is 7200 kbps and peak 
upload is 2000 kbps. In EDGE/GPRS mode the modem type is multi-class slot 12, the peak download 
throughput is 236 kbps and peak upload is 236 kbps. 


The UMTS provider usually gives the following parameters to setup UMTS connection: an APN (Access 
Point Name), a username and password. This section explains where these parameters are entered. 


First, configure a PPP virtual-template (see 4.3.5 for more information). Some parameters MUST have 
certain value to operate the UMTS connection: 


e Authentication: PAP (use the username and password provided by your UMTS network operator). 
e Magic number: not-negotiated 


LI (configure) > virtual-template ppp <1-32> 
next command is optional: to learn DNS server from network 
LI (config-virt-ppp)> ipcep dns-accept 
LI (config-virt-—ppp)> autentication pap 
LI (config-virt-—ppp) > username <username> 
LI (config-virt-—ppp)> password <password> 
LI (config-virt-—ppp) > magic number not-—negotiable 
) 
) 
) 


LI (config-virt-ppp execute 
config-virt-—ppp 
configure) > 


> 
> 
> 

LI (config-virt-—ppp)> reconnection {auto | datagram} 
> 
> 


LI 
LI 


exit 


OO OOO. OOO) sO 





Sometimes, the username and password parameters are empty. To enter an empty username / password, 
use the command: 


wi 


CLI (config-virt-—ppp) > username 
CLI (config-virt-—ppp)> password “” 





If reconnection datagram is selected, the connection is established only if IP packets have been 
routed to that interface. In case of link inactivity, the UMTS connection is disconnected. This mode is 
managed by the dialer-group function. If reconnection auto is selected, the UMTS interface is 
permanently connected (and reconnected automatically in case of loss of connectivity). The UMTS 
interface can be forced down as long as another interface or IP route is up. This mode is managed by the 
dialer-watch function. To learn more about dialer-group and dialer-watch, consult the section 4.3.13. 


The UMTS modem is able to use the 3G and/or the 2G radio access technologies. Use the following 
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command to select the radio access technology (auto is the default value): 


CLI (out-call-cellular)> radio-access-technology {2G-only | 3G-only |auto} 


Two registration failures are taken into account: lack of registration at start-up (power-up or reset) and lost 
of the registration (after a successful registration). For both cases an attach command (AT! CGATT) is 
immediately sent to the modem to register again. Only if the re-register does not succeed, a reset 
command (AT! RESET) is sent to the modem. A command line allows setting the time after witch the reset 
command is sent. 














To reset the modem after some minutes of lack of registration at start-up use the following command. The 
default behavior is ‘power-on-registration reset after 15'. Use 'default power-on- 
registration reset' to return to the default behavior. 


CLI (out-call-cellular)> [no] power-on-registration reset after <minutes> 


To reset the modem after some minutes of lost of registration use the following command. The default 
behavior is 'loss-of-registration reset after 5'. Use 'default loss-of-registration 
reset’ to return to the default behavior. 


CLI (out-call-cellular)> [no] loss-of-registration reset after <minutes> 


To avoid a modem lock when there is no traffic at all, it is possible to disconnect the call when there is no 
traffic either in both directions or only in the receiving direction. For both cases a command line allows to 
set the time after witch the call is disconnected. It will be reconnected depending on the reconnection 
parameter of the virtual-template PPP. 


To disconnect the call after some minutes without traffic in both directions use the following command. The 
default behavior is disconnect-timeout on-no-traffic after 240 (4 hours). 





CLI (out-call)> [no] disconnect-timeout on-no-traffic after <minutes> 


To disconnect the call after some minutes without response traffic use the following command. The default 
behavior is disconnect-timeout on-no-response after 5. 





CLI (out-call)> [no] disconnect-timeout on-no-response after <minutes> 


To configure the logical IP interface of the modem, create a PSTN interface: 


CLI (configure)> interface pstn 2/0.<1-255> 

CLI (config-if)> outgoing-call 

! <umts-service-nbr> is usually *99# 

CLI (out-call)> address <umts-service-nbr> 

! PPP virtual template 

CLI (out-call)> profile <virt-—ppp-profile> 

CLI (out-call)> disconnect-timeout on-no-traffic after <minutes> 
CLI (out-call)> disconnect-timeout on-no-response after <minutes> 
CLI (out-call)> cellular-radio 

CLI (out-call-cellular)> access—point-name <apn> 

CLI (out-call-cellular)> radio-access-technology <rat> 

CLI (out-call-cellular)> exit 

CLI (out-call)> exit 

CLI (config-if)> execute 

CLI (config-if)> exit 





4.3.10.3 Configuration Examples 


Simple Always-On Internet Connection over UMTS 


interface bvi 1 
ip address 192.168.1.1 255.255.255.0 
bridge-group 1 
exit 
interface fastEthernet 0/0 
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no ip address 

bridge-group 1 

exit 

interface fastEthernet 1/0 
no ip address 

bridge-group 1 

exit 

dialer watch- 

virtual-template ppp 1 

ipcp dns-accept 
authentication pap 

username orange 

password orange 

magic number not-—negotiable 
reconnection auto 

execute 

exit 

interface pstn 2/0.1 
outgoing-call 
address *99# 
profile 1 

exit 

execute 

ip nat inside overload 

exit 

ip route 0.0.0.0 0.0.0.0 Pstn 2/0.1 

ip dns-proxy dns-server learn 

ip name-server 127.0.0.1 

ip dhcp pool CLIENT_LAN 
network range 192.168.1.2 192.168.1.254 
default-router 192.168.1.1 
dns-server 192.168.1.1 

exit 

exit 


UMTS Interface started only if an interface is down 


interface dialer 0 
! PPPoE configuration 
! 
exit 
dialer watch-list watchpppoe 
interface dialer 0 
exit 
virtual-template ppp 1 
ipcp dns-accept 
authentication pap 
username orange 
password orange 
magic number not-—negotiable 
reconnection auto 
execute 
exit 
interface pstn 2/0.1 
outgoing-call 
address *99# 
profile 1 
exit 
execute 
ip nat inside overload 
dialer watch-group watchpppoe 


exit 
ip route 0.0.0.0 0.0.0.0 dialer 0 
ip route 0.0.0.0 0.0.0.0 Pstn 2/0.1 200 
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4.3.10.4 Statistics and Troubleshooting 


To show information about the UMTS module (see result above): 


CLI> show cellular-radio equipment 


To display information about the radio network: 


CLI> show cellular-radio network 











Status 

GSM registration status : registered (home network) 
GPRS registration status : registered (home network) 
Current selected operator : EF SFR 

Signal strength : bad (-83 dBm) 

Current radio access technology :  HSDPA/HSUPA 


Statistics 

Successful GSM registrations 

Successful GPRS registrations 

Loss of GSM registration 

Loss of GPRS registration because of loss of GSM 
Loss of GPRS registration because of network 
Reset on loss of GSM registration 

Reset on loss of GPRS registration 

Reset on failed initial registration 

CLI> 





oooooorn 


To display the AT commands passed by the router to modem: 
CLI> debug dialup <level: 1-4> 


4.3.10.5 UMTS module firmware download 


In same cases a different UMTS module firmware has to be used. Refer to the OneAccess Customer 
Support Department to get the files corresponding to an alternate firmware release. 


To download a file in the UMTS module, use the following command in CLI root mode: 
CLI> cellular-radio firmware-upgrade <file-path> 


Note: It may append that the firmware release consists of two files, a boot file and an application file. In 
such a case, the boot file must be downloaded first. 


4.3.11 External Modem Using AT Commands (GPRS) 


This functionality is discontinued as of V4.2 software release. 


4.3.12 Authentication of DSL Link based on PSTN/ISDN 


Opening PPP over a DSL uplink usually takes place when the access router is authenticated using a PAP 
or CHAP-based password authentication. The authentication is done by the router/DSLAM terminating the 
PPP session. However, this piece of equipment does not contain the database of users and passwords. 
This database is hosted (or simply queried) by a TACACS+ or RADIUS server. The following security 
issue is raised in the following case: if the terminating PPP router does not have information about the 
copper line, PPP is authenticated only based on the login/password pair. This means that the same router 
can be plugged to any DSL line and get network access. 


On a PSTN/ISDN connection, PPP is authenticated after login/password authentication AND identification 
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of the ISDN/PSTN phone number associated with the copper line. 


Authentication is an OneAccess patent-pending technique which goal is to acquire permission to enable 
the uplink interface when the router has just rebooted. Authentication uses standard PPP features to 
establish a session on a PSTN/ISDN interface. Authentication is successful when the PPP session has 
been established. This PPP session is then either closed or re-used by Autoconfiguration feature. 


Authentication success allows the uplink interface(s) to be enabled and PSTN/ISDN backup (dial-out) is 
allowed to be activated. Authentication failure forbids the use of the uplink interface(s) and PSTN/ISDN 
backup (dial-out) is not allowed to be activated. 


PSTN/ISDN incoming calls are not concerned by authentication. PSTN/ISDN dial-in is possible at any 
time. Note that an active dial-in PSTN/ISDN connection prevents the authentication process. The user is 
able to configure the number of retries and the delay between each retries of every PSTN/ISDN 
authentication call: this is made using configuration parameters in the outgoing or both call description at 
PSTN/ISDN interface level. 


4.3.12.1_ PSTN/ISDN Authentication Configuration 


The configuration is realized in two steps: first, the authentication profile is configured; then, the 
authentication template is applied to interfaces that must not be enabled until authentication is successful. 


The authentication profile is configured with the next commands: 





CLI (configure)> authentication oappp <client-method-name> 

CLI (config-auth)> {enable|disable} aux-led 

CLI (config-auth)> {enable|disable} hangup—immediate 

CLI (config-auth)> client <client-—name> 

CLI (config-auth-client)> interface {isdn <slot>/<port>.<id> | 
pstn <slot>/<port>.<id> } 
CLI (config-auth-client)> exit 

CLI (config-auth)> execute 

CLI (config-auth)> exit 


The aux-led parameter allows to the front-panel auxiliary LED to watch the authentication state. The 
default value is 'enable aux-led’. The hangup-immediate parameter allows to hang-up the 
PSTN/ISDN connection as soon as PPP reached the UP state. The default value is 'enable hangup- 
immediate’. <client-method-name> is further referenced in the configuration as the service 
authentication profile. <client-name> is an arbitrary string that is provisioned for future use. 














The authentication is done on the PSTN/ISDN sub-interface referenced by the ‘interface pstn' 
command. The PSTN/ISDN interface is a standard outgoing call PPP interface. Syntax example: 


interface { pstn | isdn } <slot>/<port>.<id> 
{ outgoing call | both-way call } 
address <E164> 
! WARNING: secondary is not supported on ISDN interface 
address <E164> secondary 
address <E164> secondary 











call-retry <number_of_retry> [<number_of_seconds>] 
profile <ppp-virt-template-id> 
exit 

execute 

exit 


Then, the authentication service can be applied to uplink interfaces: 


interface atm <port>.<id> 
pvc {pppoa|ipoa|pppoeoa} vpi <vpi> vei <vci> 
service-authentication <client-—method-name> 
execute 
exit 
exit 


4.3.12.2 Example 


authentication oappp pstnauthentication 
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client dialup 
interface pstn 2/0.1 
exit 

execute 

exit 

interface pstn 2/0.1 
outgoing call 
address 12345678 
call-retry 100 
profile 2 

exit 

execute 

exit 

interface atm 0.2 

pvc pppoa vpi 0 vci 32 
service-authentication pstnauthentication 
execute 
exit 

exit 


4.3.12.3 Traces and Debug 


Autoconfiguration traces are activated with the following event command: 


CLI> event filter add wan auth all show 


To remove such traces: 


CLI> event filter remove wan auth all show 


The possible failure reasons are: 


e local failure: no response from modem hardware failure 

e local failure: modem ERROR software failure 

e remote failure: modem BUSY remote side is busy 

e remote failure: modem NO CARRIER failure to connect with remote side 

e remote failure: modem NO ANSWER remote side don't answer 

e local failure: modem NO DIAL TONE PSTN cable not connected 

e local failure: modem DELAYED automatic dial out not yet successful 

e local failure: modem BLACKLISTED remote “blacklisted” (too many unsuccessful attempts) 


To display the current authentication status: 


CLI> show authentication status 


To display the authentication statistics: 


CLI> show statistics authentication 


To display the authentication configuration: 


CLI> show configuration authentication 
4.3.13 Activity Control of Backup & Switched Interfaces 
4.3.13.1 Introduction to Switched Interface 


Non-switched interface are interfaces such ATM PVC or FastEthernet which have two states: up and 
down. Switched interfaces are interfaces that can be established on-demand (a circuit must be established 
first between a caller and a called piece of equipment before data can flow through the interface); therefore 
it has three states: down (circuit cannot be established), dormant (the circuit is not established, but ready 
for establishment), and up (circuit established). An ISDN outgoing call interface is a switched interface. 


An ISDN ‘incoming call’ interface is not a switched interface because only two states are available for this 
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interface (up —connected—, down —waiting to be called—). An ISDN ‘both-way call’ is a switched interface 
when it dials out (same as ‘outgoing call’) and not switched when it is called (same as ‘incoming call’). 


On switched interfaces, a supervisor software module is responsible for opening and closing the circuit. 
The supervisor receives open/close requests from the dialer-group and from the dialer-watch-list modules. 
This supervisor also informs the dialer-group and the dialer-watch-list about the circuit status (down, 
opening, open, and closing). 


Dialer-group permits to open a switched interface on-demand when packets match some criteria and close 
the circuit after a certain time of inactivity. Dialer-watch-list requests a circuit to be permanently established 
as long as certain criteria are not fulfilled. Because both software modules are different entities, if dialer- 
watch-list has required ISDN to be open, the dialer-group may request to close the ISDN communication. 


4.3.13.2 Dialer-Groups 


When configuring a dial-on-demand connection on a BRI interface, it is possible to apply dialer-groups, 
that is to say a control on outgoing and/or incoming data flow, in order to establish and maintain 
connection. 


For example, an administrator may wish to establish an ISDN link, only when an outgoing telnet flow must 
be routed via the BRI interface. This control is made by an access-list that checks if the packet is a telnet 
packet or not. If the packet matches the access-list, the connection is established. Otherwise, the 
connection is not established. This type of filtering does not drop packets if the connection is already 
established. 


Similarly, once the link is established, the administrator may want the connection to stay up as long as 
user traffic is routed onto this interface. A filter checks that the traffic maintaining the link activity is not a 
mandatory flow. For example, SNTP or RIP sends periodically packets. It is desirable to disconnect the 
ISDN link, when SNTP or RIP is the only flows using ISDN. 


To maintain the connected state of the ISDN link opened via the dialer-group, an idle timer is reset each 
time a packet is matched by the access-list configured in the dialer-group. Non-critical flows must not 
match these access lists. If no access-list is configured, every packet passing through the interface 
resets the inactivity timer. It can be then necessary to define an access-list in both directions to 
allow the interface to be closed via inactivity. 


Although using access lists, a dialer-group filters packets in a different place than traditional access lists. 
The filtering is done as the first step for incoming traffic and as the last step for outgoing traffic. (NAT might 
be activated and yield to unexpected results when not paying attention to this fact.) 


Sometimes, it is desirable not to establish the backup link immediately. For example, an ADSL BAS may 
force a PPP renegotiation by clearing the PPP session. Reestablishing PPP takes some time and it is not 
mandatory in that case to open the backup interface. To realize such behavior, two timers were 
implemented. They are a delayed backup timer and a delayed backup abort timer: when a packet is routed 
to the backup interface, the timers are fired and this packet as well as all subsequent packets is dropped 
until the delayed backup timer is expired. If a packet is routed to that interface before the abort timer 
expires, the backup interface is opened. If no packet is routed to the interface in that time frame, the 
interface is not opened. 


The following diagram shows the dialer-group status. On the diagram below, you can notice that OneOS is 
ready to dial when a packet is routed to the ISDN interface, matched by the ACL and the dialer-group is in 
the IDLE state. An explanation of the ‘DOWN-FAILED’ status is provided after the diagram. 
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If the option down-if-failed is not configured, the interface managed by the dialer-group is always 
seen as being UP by the IP layer (as displayed in'show interfaces isdn-dialer'). Because the IP 
interface is seen UP, the IP routes set on this interface are always valid. The reason is the following: the 
ISDN or PSTN interface can always serve as backup for the main interface. Even if the dial-out connection 
failed, maybe the next connection attempt will be successful. That is the reason why the ISDN or PSTN 
interface managed by the dialer-group stays UP for further dial-out attempts. However, it might be 
necessary that this ISDN/PSTN interface be backed up by another interface, for example: 


e Backup of an ISDN sub-interface by another ISDN sub-interface (two different destinations with 
different PPP profiles) 


e Backup of an ISDN interface by a PSTN or GPRS interface 


If the option down-if-failed is not configured, both above-mentioned backup scenarios cannot be 
realized. That is why new states were introduced in the dialer-group state machine. The new states forces 
the interface to be DOWN if the connection failed. Subsequently the routes set on this interface disappear 
and routes with a lower metric/distance become then valid routes (and can redirect packets to a secondary 
backup path). While the interface is DOWN, it constantly tries to reconnect. The IP interface (as shown by 
‘show interfaces isdn-dialer') goes up again if one of the following conditions is met: 





e Successful connection 


e The retry-abort interface has gone UP. This interface (e.g.: atm 0.1) is usually the main interface. If 
this interface is UP, no backup is needed; therefore, ISDN/PSTN connection is aborted. 


To configure an outbound dialer-group on a BRI interface, use the following command line: 


CLI (configure)> interface { isdn-dialer | pstn } <slot-number>/ 
<portnumber>.<connection-id> 
CLI (config-if)> dialer-group ip <acl_out> out 


<acl_out> is the defined access-list. It filters the flows that are allowed to open the connection. In 
general, such access list is made up of a ‘permit any' and deny commands for the protocols that must not 
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maintain the connection open. 
Inbound flow can also be checked against an inbound dialer-group, so as to maintain line established: 
CLI (config-if)> dialer-group ip <acl_in> in 
<acl_in> is the defined access-list. When a packet matches this access list, the idle timer is reset. So, 
the above command can be important to determine when the ISDN connection can be disconnected. 
To remove an outbound dialer-group, use the following command line: 


CLI (config-if)> no dialer-group ip out 


To remove an inbound dialer-group, use the following command line: 

CLI (config-if)> no dialer-group ip in 
Note that if no dialer-groups are configured on a BRI interface, all traffic is authorized to connect and to 
maintain the ISDN line open. 


To configure the inactivity timer on BRI interface, use the following command line in interface command 
mode: 


CLI (config-if)> dialer-group idle-timeout <seconds> 


Default value for inactivity timer is 90 seconds. 
To configure the delayed backup, use the following command line in interface command mode: 
CLI (config-if)> [no] dialer-group delayed-backup 


CLI (config-if)> dialer-group delayed-backup delayed-period <seconds> 
CLI (config-if)> dialer-group delayed-backup abort-timeout <seconds> 


Default values: no delayed backup, delayed-period = 10 sec, abort-timeout = 10 sec. 
The command 'dialer-group differed-backup ... is deprecated. 


The connection establishment timer is a timer that monitors the establishment of the interface (from open 
request until PPP is UP). By default, it is 30 sec for ISDN and 60 sec for PSTN. To modify this timer: 


CLI (config-if)> dialer-group connection-wait-time <seconds> 


The initialization timer forbids the establishment of PSTN/ISDN while another link is going up (e.g. a DSL 
line is synchronizing). Default: 300 seconds. To modify this timer: 


CLI (config-if)> dialer-group initialization-timeout <seconds> 


To force the interface to be DOWN if the connection failed, use the next command: 


CLI (config-if)> dialer-group down-if-failed retry-timeout <seconds> 
[retry-abort atm 0.<id>] [max-retry <nbr> ] 


Default: disabled. There are several connection attempts every (connection-wait-time + retry-timeout) 
seconds (warning: the ISDN sub-interface can be configured such that it dials different ISDN numbers and 
retries several times). The retry-timeout must be longer than the maximum time required for an ISDN 
interface to dial and fail all connection trials). If the retry-abort interface is UP, the automatic reconnection 
is disabled and the interface goes UP again (For example on how to use such option, see the second 
example in this section). If the max-retry is not null and after max-retry connection attempts, the automatic 
reconnection is disabled and the interface goes UP again. If max-retry is null and retry-abort is not set 
(default values), connection attempts are done until connection succeed. 


To deactivate the down-if-—failed option: 


CLI (config-if)> no dialer-group down-if-failed 


The following example shows how acl_out and acl_in access-list permit access only from a specific 
sub-network to another sub-network. 


ip access-list extended acl_out 

permit ip 220.12.1.0 0.0.0.255 100.0.2.0 0.0.0.255 
exit 

ip access-list extended acl_in 

permit ip 100.0.2.0 0.0.0.255 220.12.1.0 0.0.0.255 
exit 
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interface bri 2/0.1 
dialer-group ip acl_out out 
dialer-group ip acl_in in 
dialer-group idle-timeout 30 

exit 


The next example activates the backup of an ISDN interface (isdn 2/0.1) by a PSTN interface (pstn 
0/0.1), while ISDN is the backup of atm 0.1 (backup priorities: 1) ATM, 2) ISDN and 3) PSTN): 


! preferred path is ATM, then ISDN 
ip route 0.0.0.0 0.0.0.0 atm 0.1 
ip route 0.0.0.0 0.0.0.0 isdn 2/0.1 200 
ip route 0.0.0.0 0.0.0.0 pstn 0/0.1 201 
interface isdn 2/0.1 
dialer-group down-if-failed retry-timeout 60 retry-abort atm 0.1 
exit 


4.3.13.3.| Backup using Route Monitoring (Dialer Watch-List) 


When using dialer-groups, you are able to control the opening and closing of switched interfaces (such as 
PSTN, BRI ...) based on link activity for selected flows. The dialer watch-list meets another type of 
requirement: when the main path to a destination is no more available, a backup interface must be open 
even if there is no traffic. For that purpose, selected routes and/or interfaces are monitored. When one or 
more of the monitored routes disappear from the routing table, the backup interface is open and remains 
open as long as the missing routes have not appeared on an interface other than the backup interface. 


The diagram below shows the state diagram of a dialer watch-list. 






NEED BACKUP 










Still Need 
Backup? 


CONNECTING 
CONNECTED 


Do not need backup anymore 


Failed to 
connect 














Still Need 
Backup? 






DISCONNECTING 


Disconnect 









Still Need 
Backup? 


Configuration 


First, you must configure a dialer watch-list to configure the monitored routes and interfaces. The following 
command is used under configuration terminal: 


CLI (configure)> dialer watch-list [{ logical-or | logical-and }] <list-— 
name> 
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CLI (watch-routes) > 


<list-name> identifies the watch list. The Llogical-or keyword (default) indicates that the backup can 
be activated when any interface or route declared in the watch-list is missing. When using Logical-and, 
all elements declared in the list must be missing to activate the backup interface. 


Then, you can declare the list of routes and interfaces to monitor: 


CLI (watch-routes)> ip <address> <mask> 
CLI (watch-routes)> interface <type> <unit> 





At startup, routes and interfaces are not monitored for a certain time. Therefore, backup is forbidden for 
a certain time at startup. This allows time for the DSL interface to synchronize with the DSLAM and 
routing protocols to provide routes (especially those that must be monitored). The timer is configured as 
follows: 


CLI (watch-routes)> initial-check-delay <seconds> 


Default delay: 120 seconds. Once the list is configured, enter exit. 


Then, the dialer watch-list is applied on the backup interface. For example, for a BRI interface: 
CLI (configure)> interface bri <slot>/<port>.<intf-id> 


CLI (config-if)> dialer watch-group <list-—name> 


The connect timer permits the backup interface to be open only few seconds after the routes/interfaces in 
the watch-list have disappeared. This dampens the transient effect of a route/interface missing few 
seconds that should not cause the interface opening (for example, unstable connection or renewal of the 
WAN IP address). The default value is 30 seconds. To configure the connect delay, the following 
command is used: 


CLI (config-if)> dialer watch-timer connect <seconds> 
The disconnect timer permits to close the interface few seconds after that the missing routes/interfaces in 


the watch-list have reappeared. By default, the interface is closed right after that the missing 
routes/interfaces are back. To configure the disconnect delay, the following command is used: 


CLI (config-if)> dialer watch-timer disconnect <seconds> 
Warning: the dialer-group must be disabled if you do not want the inactivity timer to shut down the 


interface periodically (command: dialer-group idle-timeout 0 orfno dialer-group idle- 
timeout). 


Statistics 
To display the dialer watch-group configuration, use: 


CLI> show dialer-watch-group config 


To display the dialer watch-group statistics: 


CLI> show dialer-watch-group statistics 


To enable dialer watch-group traces: 


CLI> debug dialer-—watch-group 


Example 


On the following diagram, the branch-office router receives the default route on its ADSL interface (atm 
0.1). When the router looses the connection to the central site, the default route will disappear. The 
default route is monitored to activate the ISDN backup. We assume that the ADSL/ATM interface is 
already configured as well as the BRI interface (outgoing call orboth-way call). 
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Let us assume RIP is used to distribute the default route. The WAN interfaces are on the network 
20.0.0.0/8. The following configuration commands must be added to allow the use of the dialer watch- 
group: 
router rip 
passive-interface fastethernet 0/0 
network 20.0.0.0 
exit 


dialer watch-list default-—route-monitor 
ip route 0.0.0.0 0.0.0.0 
exit 


interface bri 2/0.1 

dialer watch-group default-—route-monitor 

dialer watch-timer disconnect 60 

no dialer-group idle-timeout 

! Add 1 to metrics learnt via the BRI interface 

! So that the default route on the ATM interface 
! overwrites the default route on the BRI. 

ip rip metric 1 

exit 
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4.4 INTERWORKING FUNCTIONS FOR LEGACY PROTOCOLS 


4.4.1 FR- ATM Interworking 


This feature offers interworking functions between Frame Relay and ATM networks. 


Two types of Frame Relay-ATM interworking are defined by the Frame Relay Forum and implemented in 
OneOS: 


e FRF.5: transport of Frame Relay frames over ATM 


e FRF.8: translation between Frame Relay and ATM 


4.4.1.1 FRF.5 Frame Relay-ATM Network Interworking 
4.4.1.1.1 Principle 


FRF.5 permits Frame Relay (FR) end-users to communicate over an intermediate ATM network. The 
gateway between FR and ATM supports FRF.5. As the full FR frame is transported over the ATM network, 
this interworking is transparent to the FR payload and functions for any FR multiprotocol extension. 


When the OneOS-based router detects a fault on an ATM PVC (the intrusive ATM OAM must be enabled), 
its software enters into one of the following states: TP-state, VC-AlS-state, VC-RDI-state, VP-AIS-state, 
VP-RDI-state, VC-LOC-state, or failing loopback. When the PVC is in one of the previously mentioned 
state, the HDLC interface is placed out of service. 


When a defect is detected on the HDLC interface, a VC-AIS is sent, thus signaling the unavailability of the 
CPE. The interworking between faults signaled on the HDLC interface and the ATM VC makes it possible 
to carry out end-to-end surveillance of the data path. 


Example: 








ATM PVC ATM PVC == 


Frame Relay PVC Frame Relay PVC 








4.4.1.1.2 | FRF.5 Configuration 


Two modes are offered: 


e One-to-one connection: every DLCI must be configured and the user can define specific behavior for 
each DLCI. 


e Many-to-one connection: DLCI, which should have the same characteristics are grouped in a vc- 
group. Then, the connection is done for the group. The configuration steps are thus reduced for large 
number of DLCI. 
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4.4.1.1.3. One to one Interworking Connection 


Step 1: selection of the physical frame Relay interface: 


CLI> configure terminal 
CLI (configure)> interface serial <slot>/<port> 





Step 2: configuration of the encapsulation type: 


CLI (config-if)> encapsulation frf 


Step 3: selection of a switched frame relay DLCI: 


CLI (config-if)> frame relay interface-dlci <dlci-number> switched 


The entered parameters are validated using the following command: 


CLI (config-if)> execute 
4.4.1.1.3.1 Configuration of the ATM interface 


Step 4: selection of the ATM interface: 


CLI (configure)> interface atm <interface>.<subinterface> 


Step 5: selection of the ATM PVC with FRF.5 encapsulation: 


CLI (config-if)> pve frame-relay vpi <vpi number> vei <vci number> 


The entered parameters are validated using the following command: 


CLI (config-if)> execute 
4.4.1.1.3.2 | Connection Frame Relay to ATM 


Step 6: creation of a connection between the Frame Relay DLCI and the ATM PVC: 


CLI (configure) > connect network-interworking <connection-name> serial 
<port>/<slot> <dlci-number> atm <interface> vpi <vpi-number> vei <vci- 
number> [dlci-atm] 


"connection-name' is an arbitrary string designating the connection name. 'dici-atm' is the DLCI 
number of the Frame Relay packet once interworked through the FRF.5 function. This parameter is 
optional and enables DLCI translation. If not provided, the translated DLCI value is by default the same as 
the one on the serial interface. 


(Optional) Step 7: configuration of frame-based tagging. The ATM Cell Loss Priority (CLP) field in the ATM 
cell header and Discard Eligible (DE) bit mapping are configured for the configuration described in the 
FRF.5 standard, which also comprises EFCI to FECN mapping. CLP marking is selected the next 
command (Default: 0): 


CLI (config-FRF.5)> clp-bit { 0 | 1 | map-de } 


DE marking is enabled using the next command (Default: 'no de-bit map-clp'): 


CLI (config-FRF.5)> de-bit map-clp 


Then, the parameters must be validated: 


CLI (config-FRF.5)> execute 


4.4.1.1.4 Many to one Interworking Connection 


Step 1: selection of the physical frame Relay interface: 
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Q 


LI> configure terminal 
LI (configure)> interface serial <slot/port> 





(9) 


Step 2: selection of the encapsulation type: 


CLI (config-if)> encapsulation frf 


Step 3: declaration of the switched frame relay DLCI: 


CLI (config-if)> frame relay interface-dlci <dlci number> switched 


Validation of the parameters: 


CLI (config-if)> execute 


Step 4: Creation and configuration of a VC group. 


The 'vc-group' is the entity gathering DLCI, which will be processed similarly (same ATM PVC, same 
frame-based tagging). First, the 'vc-group' is declared: 


CLI (configure) > ve-group <group name> 


A DLCl is added to this group using the following command: 


CLI (config-ve-group)> serial <slot/port> <dlci-serial-link> [dlci-fr- 
SSCS-atm] 


"dlci-serial-link' is the selected DLCI on the serial port. The DLCI can be translated on the ATM 
side. 'dlci-fr-SSCS-—atm' is the translated value for 'dlci-serial-link'. This last command 
argument is optional; if not specified, the default value (1022) is taken. 


4.4.1.1.4.1 Configuration of the ATM interface 


Step 5: selection of the ATM interface: 


CLI (configure)> interface atm <interface>.<subinterface> 


Step 6: selection of the ATM PVC with FRF.5 encapsulation: 


CLI (config-if)> pve frame-relay vpi <vpi number> vei <vci number> 
CLI (config-if)> execute 


4.4.1.1.4.2 | Connection Frame Relay to ATM 


Step 7: selection of a connection between a Frame Relay DLCI group and an ATM PVC 


CLI (configure) > connect ve_group <connection-name> <group-name> 
atm <interface> vpi <vpi-number> vei <vci-number> 


(Optional) Step 8: configuration of frame-based tagging. The ATM Cell Loss Priority (CLP) field in the ATM 
cell header and Discard Eligible (DE) bit mapping are configured for the configuration described in the 
FRF.5 standard, which also comprises EFCI to FECN mapping. CLP marking is selected the next 
command (Default: 0): 


CLI (config-FRF.5)> clp-bit { 0 | 1 | map-de } 


DE marking is enabled using the next command (Default: 'no de-bit map-clp'): 


CLI (config-FRF.5)> de-bit map-clp 


The parameters must then be validated: 


CLI (config-FRF.5)> execute 
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4.4.1.1.5 Configuration example 


! Device interface configuration 


hostname ONE50 

interface FastEthernet 0/0 
ip address 200.16.1.20 255.255.255.0 
exit 

interface atm 0 

driver ident 0 

max channels 5 

max vce 5 

range vp min 0 max 0 

range vc min 32 max 36 
pvc management up-down 
execute 

exit 

gshds1l 

execute 

exit 

exit 


! ATM interface configuration 
interface atm 0.1 

pve frame-relay vpi 0 vci 35 
qos cbr pcr 2000000 

priority 2 

oam-pvc manage 

oam end-loopback 

execute 

exit 

exit 


! Serial interface configuration 
interface serial 0/0 
physical-layer 

no verify 

exit 


! FR configuration on serial interface 
encapsulation frf 

frame-relay interface-dlci 100 switched 
frame-relay interface-dlci 101 switched 
execute 

exit 


! vC group configuration 

vce-group MyGroup 

serial 0.0 100 100 

serial 0.0 101 101 

exit 

connect vc-group MyConnexion MyGroup atm 0 vpi 0 vci 35 
execute 

exit 


4.4.1.2 | FRF.8 Interworking 
4.4.1.2.1 Principle 


This service specified by the Frame Relay Forum allows a Frame Relay end-user to communicate with an 
ATM end-user. 
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4.4.1.2.2 | FRF.8 Configuration 


The LMI on the HDLC interface is managed by default, in order to signal unavailability of a single VC to the 
corresponding DLCI while other VCs remain operational. The surveillance of the ATM VC state is activated 
when the 'intrusive ATM OAM' is activated. The LMI NUI is managed. The LMI version is compliant 
with ITU-T Q.933 Annex A. 


Because the LMI is configured as a NUI, asynchronous status reports are not sent spontaneously. The 
device will reply to full status report requests received (on DLCI #0) and to requests for Link Integrity 
Verification (LIV). 


4.4.1.2.3 Serial Interface Configuration 
Step 1: selection of the frame Relay interface: 


CLI> configure terminal 
CLI (configure)> interface serial <slot>/<port> 


Step 2: selection of the encapsulation type: 


CLI (config-if)> encapsulation frf 


Step 3: selection of a switched frame relay DLCI: 
CLI (config-if)> frame relay interface-dlci <dlci number> switched 
CLI (config-if)> execute 


4.4.1.2.4 Configuration of the ATM interface 


Step 4: selection of the ATM interface: 


CLI (configure)> interface atm <interface>.<subinterface> 


Step 5: selection of the ATM PVC supporting the FRF.8 interworking function: 
CLI (config-if)> pve fr-atm-srv vpi <vpi-number> vei <vci-number> 
CLI (config-if)> execute 


4.4.1.2.5 Connection Frame Relay to ATM 


Step 6: creation of a connection between the Frame Relay DLCI and the ATM PVC 


CLI (configure)> connect service-interworking <connection-name> serial 
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<slot>/<port> <dlci-number> atm <interface> vpi <vpi number> vei <vci 
number> 


FRF.8 actually provides two operating modes. The translation mode removes the FR header and 
translates the encapsulation over ATM. The transparent mode keeps part of the Frame Relay header, 
which ensures no protocol-specific information is lost after encapsulation over ATM. This mode is useful 
for protocols where no standard ATM encapsulation exists (Such as VoFR or X.25). By default, the FRF.8 
is set in translation mode. If the FRF.8 transparent mode must be implemented, use the following 
command: 


CLI (configure)> no service translation 


Use 'service translation’ to re-activate the translated FRF.8 mode. 


(Optional) Step 7: configuration of frame-based tagging. The ATM Cell Loss Priority (CLP) field in the ATM 
cell header and Discard Eligible (DE) bit mapping are configured for the configuration described in the 
FRF.8 standard. CLP marking is selected the next command (Default: 0): 


CLI (config-FRF.5)> clp-bit { 0 | 1 | map-de } 


DE marking is enabled using the next command (Default: 'no de-bit map-clp'): 


CLI (config-FRF.8)> de-bit { 0 | 1 | map-clp } 


EFCI marking is enabled as follows: 
CLI (config-FRF.8)> efci-bit { 0 | 1 | map-fecn } 


Then, the parameters must be validated: 


CLI (config-FRF.5)> execute 


4.4.1.2.6 Configuration example 


configure terminal 
hostname ONE50 

interface FastEthernet 0/0 
ip address 200.16.1.20 255.255.255.0 
exit 

interface atm 0 

driver ident 0 

max channels 3 

max vc 3 

range vp min 0 max 0 

range vc min 32 max 34 
execute 

exit 

gshdsl 

execute 

exit 

exit 

interface atm 0.1 

pve fr-atm-srv vpi 0 vci 32 
qos cbr pcr 1000000 
priority 2 

execute 

exit 

exit 

interface atm 0.2 

pve fr-atm-srv vpi 0 vci 34 
qos cbr pcr 1000000 
priority 2 

execute 

exit 

exit 

interface atm 0.3 

Pvc pppoa vpi 0 vci 33 
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ip address 20.16.1.20 

ipep static 

authentication no 

qos cbr pcr 304000 

priority 2 

execute 

exit 

exit 

interface serial 0/0 

physical-layer 

no verify 

exit 

encapsulation frf 

frame-relay interface-dlci 16 switched 
frame-relay interface-dlci 17 switched 
execute 

exit 

connect service-interworking FRF.8 1 serial 0/0 16 atm 0 vpi 0 vci 32 
execute 

exit 

connect service-interworking FRF.8 2 serial 0/0 17 atm 0 vpi 0 vci 34 
execute 

exit 

ip route 220.16.1.0 255.255.255.0 20.16.1.3 
exit 


4.4.1.2.7 Status and Statistics Commands 


To display the serial link configuration use the following command: 


CLI> show configuration interface serial <slot>/<port> 


Example: 


CLI> show configuration interface serial 0/0 


Serial interface slot 0 port 0 


Physical layer mode: Autodetect 
Physical modulation type: Autodetect 
105 signal: default 

106 signal: default 

107 signal: default 

108 signal: default 

109 signal: default 

Rate: 2000000 

MTU: 1500 

Physical layer sync: Sync 
Physical layer sync mode: nrz 
Activity link timer: 1 

Activity link count: 3 
Encapsulation: FRF 

Frame relay interface dlci: 100 
Frame relay interface dlci: 101 
Interface status: DOWN 
Configuration status: Completed 


To display statistics regarding the interworking service use the following command: 


CLI> show statistics frfiwf 


Example: 


CLI> show statistics frfiwf 
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Statistics for FRFIWF 











SERIAL statistics 





3 DLCI registered 
65229 frames received 
0 frames rejected 





DLCI 0 (Connected to DLCI 0 on Serial) 
Connexion state is UP 

Bit DE is mapped to CLP 

Bit FECN is mapped to DLCI 

12585 frames bridged 

24 frames dropped 








DLCI 100 (Connected to DLCI 100 on Serial) 
Connexion state is UP 

Bit DE is mapped to CLP 

Bit FECN is mapped to DLCI 

24861 frames bridged 

1941 frames dropped 








DLCI 101 (Connected to DLCI 101 on Serial) 
Connexion state is UP 

Bit DE is mapped to CLP 

Bit FECN is mapped to DLCI 

23895 frames bridged 

1925 frames dropped 








AT 0/ 35 statistics 





3 DLCI registered 
32610 frames received 
0 frames rejected 





DLCI O (LMI server) 
Connexion state is UP 

Bit DE is mapped to CLP 
Bit FECN is mapped to DLCI 
18659 frames bridged 

3 frames dropped 








DLCI 100 (Connected to DLCI 100 on Serial) 
Connexion state is UP 

Bit DE is mapped to CLP 

Bit FECN is mapped to DLCI 

7133 frames bridged 

No errors 








DLCI 101 (Connected to DLCI 101 on Serial) 
Connexion state is UP 

Bit DE is mapped to CLP 

Bit FECN is mapped to DLCI 

6818 frames bridged 

No errors 

















RX FIFO informations 


AAL5 RX FIFO: 


current element: 0/256 (0%) 
max element: 10/256 (3%) 
time fifo was full: 0 

loop: 77067 

threshold reached: 0 


FR RX FIFO: 


current element: 0/200 (0%) 
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Nb max element: 9/200 (4%) 
Nb time fifo was full: 0 
Nb loop: 65119 

Nb threshold reached: 0 


To display statistics of an FRF.8 connection, use the following command: 





CLI> show statistics pve fr-atm-srv <atm-interface-number> vpi <vpi- 
number> vei <vci-number> dlei <dlci-number> 


To display statistics of an FRF.5 connection, use the following command: 


CLI> show statistics pvc frame-relay <atm-interface-number> vpi <vpi 
number> vei <vci number> dlci <dlci number> 


Example: 


CLI> show statistics pvc frame-relay 0 vpi 0 vci 35 dlci 100 





Statistics for DLCI 100 on VP/VC 0/35 








Line status is UP 

PVC on network side is UP 
Connexion state is UP 

OQ frames received 

0 frames bridged 








No errors 











To display statistics regarding the FR-ATM interworking connections use this command: 


CLI> show connection 


Example: 


CLI> show connection 


ID Name Segment 1 Segment 2 State 











1 FRF.5_1 Serial 0/0 100 ATM 0.1 0/35 100 UP 
2 FRF.5_2 Serial 0/0 101 ATM 0.1 0/35 101 UP 
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4.4.2 X.25 over TCP/IP (XOT) 


IP networks enable the use of a single infrastructure type enabling the convergence of multiple protocols 
and applications. The purpose of XOT (RFC 1613) is to transport X.25 packets over IP networks. The X.25 
backbone network is replaced by IP. The XOT standard defines an encapsulation of X.25 packets as TCP 
payload. Remote endpoints connected to a XOT gateway still use X.25 natively. OneOS provides an XOT 
Gateway function. 




















X.25 
Terminal XOT XOT 
7 Gateway Gateway 
X.25 TCP X.25 
<< —_» <+*—_» 





The protocol stack is organized as follows: 








X.25 Terminal | XOT Gateway 







X.25 Switching 


X.25 Layer 2/3 X.25 Layer 2/3 XOT Interworking 


Serial: Serial: 
V.11/V.35/V.28 V.11/V.35/V.28 






























X.25 is a connection-oriented protocol, which is similar in some extent to TCP in the IP world. When a X.25 
virtual circuit must be established using X.25 signaling, a corresponding TCP session (TCP port: 1998) is 
created. X.25 packets are transported in that TCP session. The TCP session is then created when 
receiving a X.25 call setup. When the TCP session is open, the X.25 virtual circuit can be established. The 
TCP session must remain operational as long as the X.25 circuit is not cleared. There must be a 
consistency between TCP and X.25 virtual circuit state: 


e ATCP disconnection results in disconnecting the X.25 circuit 
e X.25 call clearing results in TCP disconnection 


Layer-3 X.25 packets are sent transparently inside the XOT header. However, the OneOS XOT Gateway 
service manages locally X.25 layer-2/3 flow control. Indeed, TCP already has its own flow control and 
relaying X.25 flow control would result in unnecessary traffic and poor performance. 


X.25 circuits are setup dynamically by calling X.121 addresses designating the remote X.25 endpoints. 
Therefore, a routing table is required to convert X.121 addresses into remote XOT gateway IP addresses. 
If the call setup is not achieved properly, the routing table allows the definition of backup addresses and 
route calls to the alternate XOT gateways if the main XOT gateway does not respond. 


Instead of using an internal routing table, OneOS is also able to query a DNS server which provides an 
X.121 address <> IP address translation function. 
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4.4.2.1. Configuration Commands 


The XOT gateway configuration requires several configuration steps: 
e —_ Serial interface configuration 

e X.25 Layer-2 configuration 

e X.25 Layer-3 configuration 

e = X.121 <---> IP routing table 


4.4.2.1.1 Serial Interface 


In global configuration mode, the serial interface shall be declared: 


CLI (configure)> interface serial <slot>/<port> 


The serial interface can be shutdown: 


CLI (config-if)> [no] shutdown 


If some parameters must be set for the physical interface, enter then: 


CLI (config-if)> physical-layer 


Refer to section 4.3.4.1 for details about physical layer configuration. In serial interface configuration 
mode, the following command declares the serial port in X.25 mode: 


CLI (config-if)> encapsulation x25 
CLI (x25) > 





4.4.2.1.2 X.25 Layer-2 


To enter layer-2 configuration parameters, use the following command: 


CLI(x25)> lapb { dte | dce } 
CLI (x25 lapb)> 





The default value is 'dce'. In this configuration mode ('x25 lapb' CLI prompt), several parameters can 
be adjusted: 


CLI (x25 lapb)> modulo { 8 [K <1..7>] | 128 [K <1..127>] } 
Configures the numbering size: it can be numbered modulo 8 (default). The window K can be adjusted 


(should be set high for long transit delays). When the numbering is modulo 8, K is by default 7, otherwise it 
is 30. 


CLI (x25 lapb)> N2 <1..255> 


Provides the maximum number of retries for a frame unacknowledged by the remote side; Default: 10 
retries. 

CLI (x25 lapb)> T1 <1..640> 
Provides in tenths of seconds the retransmission timer indicating the maximum delay after which the LAPB 
protocol will retransmit an unacknowledged frame. Default: 30 sec. 

CLI (x25 lapb)> T2 <1..160> 
Provides in tenths of second (default is 7) the maximum delay after which the LAPB will acknowledge a 
received frame. T2 is usually T1/4 frame acknowledge timer. 


When parameters are set, enter the exit command. 


Page 4.4-239 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


4.4.2.1.3 


X.25 Layer-3 Configuration 


To enter in X.25 packet configuration mode, enter the following command, beginning in X.25 interface 
configuration mode: 


CLI (x25)> packet { dte | dce } 
CLI (x25 packet) > 





The default behavior is the 'dce' mode. Then, in this configuration mode you can enter some additional 
layer-3 parameters: 


CLI(x25 packet)> lic <0..4095> 
e (Default is 0) 


e We can define the range of values for the identifier designating the X.25 logical channel. The 
above command sets the lowest incoming circuit number. 


CLI (x25 packet)> hic <0..4095> 
e (Default is 0) 


e — Highest incoming circuit number (0 means no check on the upper value). 


e hic must be equal or greater than lic. 


CLI (x25 packet)> 1lte <0..4095> 
e = (Default is 1) 


e Lowest two-way circuit number. 


CLI (x25 packet)> hte <0..4095> 
e = (Default is 8) 


e Highest two way circuit number (0 means no check on the upper value). 


e htc must be equal or greater than Ltc. 


CLI (x25 packet)> loc <0..4095> 
e (Default is 0) 


e Lowest outgoing circuit number (0 means no such circuit). 


CLI (x25 packet)> hoc <0..4095> 
e (Default is 0) 


e Highest outgoing circuit number (0 means no such circuit) 


e hoc must be equal or greater than loc. 


The maximum number of Virtual Circuit is checked when executing the CLI command ‘execute’. When 
entering the ‘execute’ command, some memory space is reserved to guaranty X.25 call establishment. If 
the maximum is reached (50 VC) the configuration is refused with an error message. 


CLI(x25 packet)> [no]Jcug <00..99> 
e Selects a Closed User Group (CUG) to which the X25 subscriber will be part of. 


e A subscriber may belong to up to 30 CUG. 


CLI (x25 packet)> [no]x25-address <x121-address> 
e X.121 address of the X.25 subscriber (serial interface). This parameter can be used to route 
incoming XOT calls to the proper X.25 serial interface. 


e When present, this address must be inserted as calling-address in incoming call packets if 
initially not present in the call packet received from the X.25 subscriber. 
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CLI (x25 packet)> [no] X25-outgoing suppress called-address 
e Selects or not the option of called address suppression in the call packet format (sent on the 
X.25 interface). 


e When present, the called address must be suppressed in the outgoing call packet. Default: 
disabled. 


e This command has a higher priority than any conversion command (because it is applied after 
any conversion). 


CLI (x25 packet)> [no] X25-outgoing suppress calling-address 

e Selects or not the option of calling address suppression in the call packet format (sent on the 
X.25 interface). When present, the calling address must be suppressed in the outgoing call 
packet. 


CLI(x25 packet)> [no] X25-outgoing convert called-address <match-mask> 
[<string>] 
This command converts the X.121 called address field for X25 calls issued to terminal for X25 calls issued 
to terminal (outgoing calls from OneOS X25 interface). This command has a lower priority than any 
suppression commands (which are applied before). Only one conversion can be defined per interface. 


The first parameter <mat ch-mask> is mandatory and allows selecting the addresses on which conversion 
is applicable. This parameter is a string with the following characters: 


e any digits from 0 to 9: this characters must match exactly 
e = '#": any (non-void) digit matches 


e ™: it can be entered only once at the end of the string. Any remaining digits or none are matched. 


Examples: 
<match-mask> <x121 address> Result 
8000## 80004 no match 
8000## 800044 match 
8000## 8000444 no match 
8000##* 8000444 match 
SH4#* 804599999 match 


The second parameter <string> is optional and is the replacement string. If not specified, the command 
permits to selectively suppress the whole called address. This parameter is a string with digits from 0 to 9, 
and/or with '#' character(s) and/or with one ™' character. If present, the '*' character must be placed at the 
end. 


The following rules are applied for conversion: 
e the x121 address to convert is explored digit by digit 


e a™'character must be seen as all remaining characters are 


e at the same rank in <match-mask> and in <string>, the different combinations of characters give 
the conversion to apply on this digit: 


Called Nbr <match-mask> <string> Conversion 

tgt_digit tgt_digit / # repl_digit => repl_digit 

tgt_digit tgt_digit / # # => tgt_digit 

tgt_digit tgt_digit / # * => <<removed>> 

tgt_digit tgt_digit / # <none> => <<removed>> 

tgt_digit * repl_digit => repl_digit <<added>> 

tgt_digit * # => tgt_digit 

tgt_digit * * => tgt_digit 

tgt_digit % <none> => <<removed>> 

<none> * repl_digit => repl_digit <<added>> 

<none> * <not digit> => <<none ->end >> 
Examples: 
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[1] Replacing a prefix 
X25-outgoing convert called-address ####* 8000* 


e =x121: 9000781234 => 8000781234 
e =x121: 60004554 => 80004554 


[2] Removing a prefix 
X25-outgoing convert called-address ######* * 


e =x121: 9000781234 => 1234 
e §=x121: 60004554 => 54 


[3] Insertion of prefix 


X25-outgoing convert called-address * 8000* 


e =x121: 781234 => 8000781234 
e = =x121: 4554 => 80004554 
e = =x121: 54 => 800054 


e  x121:(no address) => 8000 


[4] Insertion of full address 
X25-outgoing convert called-address * 8000541234 


e =x121: 9000781234 => 8000541234 
e = §=x121: 60004554 => 8000541234 
e = =x121:54 => 8000541234 
e x121:(no address) => 8000541234 


[5] Address suppression 


X25-outgoing convert called-address * 


e x121: 9000781234 => (no address) 
e §=x121: 60004554 => (no address) 


e x121:(no address) => (no address) 


[6] Replacing intermediate digits by others with insertion 
X25-outgoing convert called-address 9###64* S###8899* 


e =x121: 9000641234 => 800088991234 
e §=x121: 900064 => 80008899 


[7] Adding digits at the end (fixed length addresses) 
X25-outgoing convert called-address ########* #HHHHFHHHIO 


e §=x121: 90006442 => 9000644299 
e §=x121: 70004401 => 7000440199 
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[8] Removing digits at the end 
X25-outgoing convert called-address ########* #####444 


e =x121: 900064421234 => 90006442 
e =x121: 7000440188 => 70004401 


X25-outgoing convert called-address ######## ###### 


e =§=x121: 90001234 => 900012 
e §=x121: 70004488 => 700044 


CLI (x25 packet)> [no] X25-incoming convert calling-address <match-mask> 
[<string>] 
This command converts the X.121 calling address field for X.25 calls issued from a terminal (incoming 
calls to OneOS X.25 interface). This command is applied before any local X.121 address insertion i.e. if 
the result of conversion is “no calling address”, and if the local address has been configured, it will be 
added. This command can only be defined once per interface. 


The first parameter <mat ch-mask> is mandatory and allows selecting the addresses on which conversion 
can apply and, for these addresses the part of the address which will be converted (in combination with 
<string> parameter). See detailed comment in"x25-outgoing convert called-address" 


The second parameter <string> is optional and is the replacement string. If it is not specified this is 
equivalent to suppress the full x121 address. This parameter is a string with digits from 0 to 9, and/or with 
'#' characters, and/or with one ™' character. If present the '™' character must be at the end. See detailed 
comment in"X25-outgoing convert called-address". 


CLI (x25 packet)> [no] X25-incoming insert cug <cug-value> 
This command inserts a Closed User Group (CUG) facility field for X25 calls issued from terminal 
(incoming calls to OneOS X25 interface). This command is applied before any check; if CUG checking is 
configured it must include this CUG. <cug-value> ranges from 0 to 99. 


For the X25 packet data flow, each direction input and output may independently specify its own packet 
size and window size. 

CLI(x25 packet)> ips { 16 | 32 | 64 | 128 | 256 | 512 | 1024 } 

e Maximum input packet size in bytes (default is 128). 


CLI (x25 packet)> ops { 16 | 32 | 64 | 128 | 256 | 512 | 1024 } 
e Maximum output packet size in bytes (default is 128). 


CLI (x25 packet)> win <1..7> 
e Window size for input packets (Default: 2). 


CLI (x25 packet)> wout <1..7> 
e Window size for output packets (Default: 2). 


The logical channel number 0 can be used or not as incoming, outgoing or two-way channel. 


CLI(x25 packet)> enable { lcn0-as-incoming | lcn0-as-outgoing 

| 1lcn0-as-two-way } 
CLI(x25 packet)> disable { lcn0-as-incoming | lcn0-as-outgoing 
| 1lcn0-as-two-way } 





Finally, complete the configuration by entering the following commands: 


CLI (x25 packet)> execute 
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CLI (x25 packet)> exit 
CLI (x25)> exit 

CLI (config-if)> exit 
CLI (configure) > 





4.4.2.1.4 X.25 Routing 


The X.25 routing enables to redirect X.25 calls to an output interface. There are two cases: 


e Anincoming XOT call is received and its must be routed to a serial interface (the on-board serial 0/0 
interface of the ONE60 or on the V.28 daughter board of the ONE60/200, namely serial 2/{1|2}) 


e An-X.25 call is received and must be redirected to XOT 


A call packet cannot be redirected on the interface that it is originating from. The configuration commands 
follow. To enter in X.25 routing configuration, enter: 


CLI (configure)> [no] route x25 


The routing table allows up to 50 entries. By default, it is forced to route X.25 packets to serial 0/0 
(V.11/V.35/V.28/V.36) and vice-versa. 


Then select an X.121 address that you want to attach an output interface afterwards: 
CLI (route-x25)> [no] x121 <x121-pattern> 


The pattern entered can be a X.121 number (example: 700011) or a number with a wild card (example: 
7000* means all numbers starting with 7000). Any call with a X.121 number matching this entry is routed 
on the output interface 


CLI (route-x25)> [no] { serial <slot>/<port> | xot } 


Then enter exit and create the next x121 entry if needed. Once you have finished the X.25 routing 
configuration, enter execute. 


The routing sorts the entries out from the most discriminating number (longest number without ™') to the 
least discriminating number ('*'). The routing is made by matching call packets with the sorted entries. 


Example: 


route x25 

x121 8000* 
xot 

exit 

x121 9000* 
serial 0/0 
exit 

x121 90000021 
serial 2/1 
exit 

x121 90000022 
serial 2/2 
exit 

execute 

exit 


4.4.2.1.5 | XOT Routing Table 


The main goal of the XOT routing table is to define an IP destination for each X.121 address (or group of 
addresses, see utilization of the * star character) that the XOT service can process when handling 
outgoing X.25 call packets. 


The XOT routing table is organized as follows, and contains up to 50 entries. 
Each entry specifies: 


e X.121 target address 
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e Associated IP target addresses or DNS parameters 

e Keep alive parameters specific to the TCP sessions with the X.121 target 
e Selection method of the possible remote XOT gateway addresses 

To enter in the configuration of the table: 


CLI (configure)> route xot 
CLI (route-xot) > 


If you do not define the source address of the XOT gateway, the source address is the same as the 
outgoing interface address. This can be inconvenient, as the interface address is not always known in 
advance (for example, the IP address of a PPP interface can be retrieved dynamically). You can then 
choose a fixed IP address as follows: 


CLI (route-xot)> ip address <source-ip-addr> 


Alternatively, you can select the IP address of another interface (which IP address is usually fixed): 


CLI (route-xot)> ip unnumbered { Loopback <lb-id> | 
Ethernet <slot>/<port>[.<vlan-if>] | 
FastEthernet <slot>/<port>[.<vlan-if>] | 
Atm <intf>.<port> | 
Serial <slot>/<port> | <...> } 


Then for each entry of the table associated with an x121 address (or group of addresses), enter: 
CLI (route-xot) > *x121 <x121-address> 
CLI (x121)> 
The Remote Address is in X.121 format. For this called address, we can associate the target IP address 
and other destination-specific parameters. 
CLI(x121)> ip <ip-address> [ip <ip-address2> [ip <ip-address3> [ip <ip- 
address4>]]] 
e IP address of the destination XOT peer. 


e Then optional IP address of the first, second, third possible XOT peer. 


Instead of using static IP addresses, we can use domain name resolution: DNS servers are defined 
globally for the router (Command: 'ip name-server ..."') and contains a list of IP addresses for 
certain domain names. To enable DNS-based XOT routing, the DNS servers must be configure to return 
the IP addresses of XOT gateways based on domain names. Therefore, the domain names are built based 
on the called X.121 address. The command is the following: 


CLI(x121)> ip dns <string1l>#<num-d>#[<string2>] 


For the called X.121 address matching this routing entry, a query is sent to the DNS server(s) for the 
domain name built with the concatenation of the following strings: 


e = String1 (optional) 


e = The first <num-d> digits of the called X.121 address. If <num—d> = 0, the whole X.121 address is 
taken. 


e — String2 (optional) 


Example: 


CLI (route-xot)> x121 8000* 
CLI(x121)> ip dns xotresolv#3#.com 





Beware of conflicts with the host name. Example: The host is configured as follows: 
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ip host xot60001lgtw2 192.168.200.101 


The DNS server is then configured: 

ip domain-name xotdomain.org 

ip name-server 127.0.0.1 

ip dns-proxy dns-server 193.1.1.109 
If you do not wish to use a DNS cache, use: 


no ip dns-proxy cache 


When querying the string 'xot 800010gtwl1'", it returns: 
xo0t800010gtwl1 192.168.200.101 192.168.201.101 192.168.201.102 
192.168.201.103 
As you can see, the local host is queried first, thus creating potentially a conflict. 
For the called X.121 address 80003, the 'xotresolv800.com' domain name is queried. 


Whether the IP address is returned through DNS servers or manually configured, we can then define the 
selection algorithm for XOT gateway IP addresses. 


CLI (x121)> gateway-selection { backup | random } 


"backup! is the default value. When 'backup' is used, the first configured IP address or the first 
address in the list returned by DNS is selected as primary XOT gateway. If no XOT connection can be 
done, the second one is taken and so on. 


If 'random' is selected, one address among the N possible addresses is randomly selected. If no XOT 
connection can be built with the corresponding XOT gateway, this IP address is considered invalid. (N-1) 
addresses remain. The same process is repeated with the (N-1) addresses, then N-2 ... until all addresses 
are considered invalid. 


If no connection is possible with all addresses, the X.25 connection is released. 


CLI(x121)> [no] keepalive-period <1..3600> 
e Defines in seconds (default 60) the keepalive period of the TCP connection. 


e The 'no' option means no keepalive. 


CLI(x121)> [no] keepalive-tries <1..10> 

e Defines the number of consecutive keepalive messages (default 4) with no 
acknowledgement to consider the TCP connection as silent. When the TCP connection is 
silent, then the TCP connection and associated X.25 circuit are cleared. 


e The 'no' option means no retry. 


CLI (x121)> exit 


When all the X.121 entries are set, the routing table is built by entering the following command: 


CLI (route-xot)> execute 


To clear an entry of XOT routing table: 


CLI> no x121 <x121-address> 


Warning: Using the no option, all the data of the specified entry will be lost. 
To clear the XOT routing table: 


CLI> no route xot 


Warning: Using the no option, all the data of the XOT routing table will be lost. 
The rules for X121 address specification are the following: 


An X.121 address can be specified with: 
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- 15 digits maximum 
Example: 123456789012345 


- n digits ended by a star character masking all the subsequent characters: 


Example: 1234* 


Means all X.121 addresses from 12340 (5 digits) to 123499999999999 (15 digits) 


- Single star character: 
Example: * 
Means all X121 addresses from 0 (1 digit) to 999999999999999 (15 


The list of X.121 address is automatically organized by the CLI; the most discriminating address first, the 


least discriminating address being last: 
Example: 


1234 
1234* 
12* 

1 


* 


4.4.2.1.6 Statistics and Configuration Display 


To display all configuration parameters of the serial interface, including default values, use the following 


command: 


CLI > show configuration interface serial 0/0 
Serial interface slot 0 port 0 















































digits) 


[ UA ] 


Physical layer mode: Autodetect 
Physical modulation type: Autodetect 
105 signal: default 
106 signal: default 
107 signal: default 
108 signal: default 
109 signal: default 
Rate: 2000000 
TU: 1500 
Physical layer sync: Sync 
Physical layer sync mode: nrz 
Activity link timer: 1 
Activity link count: 3 
Encapsulation: X25 
‘APB DTE modulo 8 windows(k) = 7 
n2 = 10 Tl = 1600 ms T2 = 400 ms 
PACKET D X121 address = 
0000 incoming circuits from 0000 to 0000 
0025 two ways circuits from 0001 to 0025 
0000 outgoing circuits from 0000 to 0000 
default packet length 128 (input) 128 (output) 
default packet windows 2 (input) 2 (output) 
no CUG to check on incoming call 
Interface status: DOWN 
Configuration status: Completed 
To display serial interface statistics, the command is: 
CLI> show statistics serial 0/0 
Statistics for LINK LEVEL LAYER (LAPB) 
[ SABM(E) ] { DISC ] 
-start -lastread .start -lastread 


TX 


.start .lastread 


000000004 000000000 000000000 000000000 000000000 000000000 
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[ 


-Start 


[ 


Start 






















































































Rx ignored frames 000000000 


Statistics for PACK 


[ 


Start 


Tx : 000000000 0000 
Rx : 000000001 0000 


28Gart 


Tx : 000000001 0000 
Rx : 000000000 0000 


[ 


»SUare 


Tx : 000000016 0000 
Rx : 000000000 0000 


[ 


-Sstart 


Tx : 000000000 0000 
Rx : 000000014 0000 


[ 


-Start 




























































































Rx : 000000000 000000000 000000000 000000000 000000001 000000000 
DM | [ FRMR ] [ REJ ] 
.lastread .start lastread .start lastread 
Tx : 000000000 000000000 000000000 000000000 000000000 000000000 
Rx : 000000001 000000000 000000000 000000000 000000000 000000000 
DATA ] [ RR ] [ RNR ] 
-lastread .start .lastread .start .lastread 
Tx : 000000019 000000018 000000002 000000001 000000000 000000000 
Rx : 000000017 000000016 000000005 000000004 000000000 000000000 
ET LAYER 
CALL ] [ CLEAR ] [ RESTART ] 
.-lastread .start .lastread .start .lastread 
00000 000000000 000000000 000000001 000000000 
00001 000000001 000000001 000000001 000000000 
[ CALL CONF ] { CLEAR CONF ] [ RESTART CONF ] 
.-lastread .start .lastread .start .lastread 
00001 000000001 000000001 000000000 000000000 
00000 000000000 000000000 000000000 000000000 
DATA ] [ RESET ] [ INTERRUPT ] 
.-lastread .start .lastread .start .lastread 
00016 000000000 000000000 000000000 000000000 
00000 000000000 000000000 000000000 000000000 
RR J [ RESET CONF ] [ INTR.CONF ] 
-lastread .start .-lastread .start .lastread 
00000 000000000 000000000 000000000 000000000 
00014 000000000 000000000 000000000 000000000 
DIAG ] [ UNKNOWN ] [ RNR ] 
-lastread .start -lastread .start .lastread 
Rx : 000000000 000000000 000000000 000000000 000000000 000000000 






































Column .start: number of frames / packets since the X25 is started 


Column .1lastread: number of frames / packets since the last show statistics command 


The XOT statistics are provided in the serial interface statistics. 


To see the XOT statistics a show statistics command is available and includes: 


CLI> show statistics xot 


XOT TCP statistics 
incoming TCP 
outgoing TCP 
outgoing TCP 





outgoing XO 


incoming XO 
incoming XO 





calls 
calls 
calls 
packet 
packet 


start lastread 

000000001 000000001 

OK 000000000 000000000 
FAIL. 000000000 000000000 
s 000000014 000000014 

s OK 000000015 000000015 


bad packets 000000000 000000000 





















































Statistics for PACKET LAYER 
[ CALL ame CLEAR [ RESTART ] 
-start .-lastread .start .lastread .start .lastread 
Tx : 000000000 000000000 000000000 000000000 000000000 000000000 
Rx : 000000001 000000001 000000001 000000001 000000000 000000000 
[ CALL CONF Wy) st CLEAR CONF [ RESTART CONF J 
-start -lastread .start .lastread .start .lastread 
Tx : 000000001 000000001 000000001 000000001 000000000 000000000 
Rx : 000000000 000000000 000000000 000000000 000000000 000000000 
[ DATA afueei RESET [ INTERRUPT ] 
-start -lastread .start .-lastread .start .lastread 
Tx : 000000015 000000015 000000000 000000000 000000000 000000000 
Rx : 000000000 000000000 000000000 000000000 000000000 000000000 
[ RR We of RESET CONE ] [ INTR. CONF ] 
-start .-lastread .start lastread .start .lastread 
Tx : 000000000 000000000 000000000 000000000 000000000 000000000 
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Rx : 000000013 000000013 000000000 000000000 000000000 000000000 
[ DIAG J UNKNOWN ] [ RNR ] 
-start .lastread .start -lastread .start .lastread 

Rx : 000000000 000000000 000000000 000000000 000000000 000000000 


Column .start: number of packets since the XOT is started 


Column .1lastread: number of packets since the last 'show statistics' command 


To see the XOT active connections status, a show status command is available. 


CLI> show xot 
XOT 11 active connections 





































































































id=00 LCN=0049 [connected remote 10.29.140.171 
initiated by remote using port 1024 
id=01 LCN=0050 [connected remote 10.29.140.171 
initiated by remote using port 1049 
id=02 LCN=0048 [connected remote 10.29.140.171 
initiated by remote using port 1025 
id=03 LCN=0047 [connected remote 10.29.140.171 
initiated by remote using port 1026 
id=04 LCN=0046 [connected remote 10.29.140.171 
initiated by remote using port 1027 
id=05 LCN=0045 [connected remote 10.29.140.171 
initiated by remote using port 1028 
id=06 LCN=0044 [connected remote 10.29.140.171 
initiated by remote using port 1029 
id=07 LCN=0043 [connected remote 10.29.140.171 
initiated by remote using port 1030 
id=08 LCN=0042 [connected remote 10.29.140.171 
initiated by remote using port 1031 
id=09 LCN=0041 [connected remote 10.29.140.171 
initiated by remote using port 1032 
id=10 LCN=0001 [connected remote 10.29.140.171 
initiated by local using port 1124 





The routing table is printed as follows: 


CLI> show configuration xot route 

XOT route: 2 routes 

x121 90000010 ip 192.1.1.110 

keepalive period 200 secs tries 8 

x121 90000020 ip 192.1.1.120 192.1.2.120 
keepalive period 60 secs tries 4 


4.4.2.1.7 Debug and Traces 


The following command restarts the serial interface: 
CLI> x25 restart interface serial { 0 | 2 }/<0-2>[.<1-255>] 


The following commands define the X.121 address and the user data (password) that will make the traffic 
generator generate data when called at this address with this user data. The default user data used as 
password is "00GG". The data generated is a rotating pattern of the alohanumeric characters. 


CLI (configure)> x25 traffic-generator [called-address <x121-address>] 
CLI (configure)> x25 traffic-generator password <user-data-as-—password> 


CLI (configure)> no x25 traffic-generator 


For X.25 layer-3 debugging, use: 
CLI> [no] debug x25 packets all 
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For X.25 layer-2 (LAPB) debugging, use: 
CLI> [no] debug x25 frames all 


For XOT SOCKET debugging (Interface between IP and XOT), use: 
CLI> [no] debug xot socket 


For XOT routing table debugging, use: 


CLI> [no] debug xot routing 


For XOT protocol debugging, use: 
CLI> [no] debug xot stack 


4.4.2.1.8 Configuration Example 


This example provides the configuration of an OneOS-based router, which Ethernet interface (192.1.1.100) 
is connected to an IP network. The device is represented on the left-hand side of the following diagram. On 
this network, we find 2 other XOT gateways with the following addresses: 


e 192.1.1.120: manages the X.121 address 90000010 
e 192.1.1.110: manages the X.121 addresses 90000010 and 90000020 (backup) 


Because XOT is based on TCP, the XOT flow slowly reduces its output rate when the WAN port is 
congested. This can be the case when the router routes UDP-based traffic from the LAN to the WAN. The 
use of CB-WFQ or classification of XOT in a separate CBQ class is strongly recommended. You can use 
the source IP of the XOT traffic as filtering criterion. 


X.121@ = 90000020 






X.25 
Terminal 





192.1.1.100 















X.121@ = 90000010 
+ 90000020 (backup) 


CLI> show running-config 
Building configuration... 


Current configuration: 
hostname CLI 

interface FastEthernet 0 
ip address 192.1.1.100 255.255.255.0 
exit 

interface serial 0/0 
encapsulation X25 

lapb DTE 

t1 16 

n2 4 

exit 
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packet DTE 

htc 25 

exit 

exit 

execute 

route xot 

x121 90000010 

ip 192.1.1.110 
keepalive-period 200 
keepalive-tries 8 
exit 

x121 90000020 

ip 192.1.1.120 192.1.2.110 
exit 

execute 

exit 


4.4.2.2. PAD over XOT 


(ONE60/200 specific, only supported on the daughter-board with V.28 ports) The Packet Assembler 
Disassembler (PAD) function permits the communication of character-driven terminals over a packet 
network (generally X.25). The PAD function was implemented in OneOS to transport PAD data over X.25 
over TCP/IP. 


The PAD protocol is divided in three sub-components, as illustrated on the figure below: 
- X.3, which defines the set of parameters describing the behavior of the router towards the terminal 
- X.28, a protocol between the terminal and the PAD 


- X.29, a protocol between the PAD and the remote end point. 



































Terminal 























Server 


X.28 X.29 





Param. X.3 


4.4.2.2.1 X.3 Parameter Configuration 
4.4.2.2.1.1 Introduction 


The X.3 standard defines a set of 22 parameters. To facilitate the configuration, standardized parameter 
sets are pre-defined and grouped in X.3 profiles. The user can select the profile and modify few 
parameters if needed. 


A X.3 profile can also be remotely chosen (by the terminal or remote host) using X.28 or X.29. 


The parameters and their possible values are the following (‘ns' means 'not supported’): 


- 1: Escape character 0 none 1 DLE 
- 2: Echo 0 no echo 1 echo 
- 3: Character for packet sending 0 none 2 carriage return 126 all characters 


Page 4.4-251 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


- 4: Timer length for packet emission Onotimer 1to255n*50ms 

- 5: XON/XOFF Flow control (PAD to Terminal) 0 none 1 only data transfer 

- 6: Indication transmission (PAD to terminal) 0 none 1 always 

- 7: Meaning of 'break' 0 send 1 interrupt data transfer 2 reset 


- 8: Send data to terminal ns =0 always 


- 9: Padding after CR 0 never 4 four times null Char 
- 10: Force line folding ns =0 no 

- 11: Speed ns (read only) 

- 12: XON/XOFF flow control (Terminal to PAD) 0 none 1 always 
- 13: Insert LF after CR ns =0 no 

- 14: Padding after LF ns =0 none 

- 15: Character edition ns =0 only during the command phase 

- 16: Delete character ns =8 Backspace 

- 17: Line delete character ns =0 no line delete 

- 18: Display line ns =0 no display line 

- 19: Indicate edition ns =0 no editing signal 

- 20: Echo mask ns =0 no, all characters echoed 

- 21: Parity processing ns =0 no parity detection and generation 

- 22: wait end of page ns =0 no 


To ease the configuration of profiles, pre-defined values are collected in standard profiles. Here is the list 
of the support profiles: 


Supported Parameters 
ID 


4.4.2.2.1.2 





bh 
No 
[ony 





0 
0 
0 
0 
0 
0 
0 
0 
0 


OAaAYNADNUOBWNEF O 





FOCWTCOMOOCOCOCOCOOCOOCO 





COCDCORPKHFHODVOGCOCOF 
FPORPRRPOORPRRHROOFR OF 





CoooCcocorRCoOOoOnrR OC O°C 





DOODAONNNANNN OO 





annawaodaonao 


NRPRPRPRPR 
NUWNHFO 


Configuration 


Step 1) 


The 


X.3 parameters are collected in a virtual template. The template is based on a standard profile as 


shown above that you can customize. To configure the virtual template, first enter in template configuration 


from 


the global configuration terminal and select the standard profile to use: 
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CLI (x3-pad)> init-from <standard-profile-number> 


CLI (configure)> [no] virtual-template x3-pad <user-profile-id> 


The user-profile-id must be between 24 and 89. 
Step 2) 


If you do not need to modify the profile, go to step 3). Should you need to modify a standard profile, first 
enter the 'parameters' command and modify the parameters (default values are the one from the standard 


profile): 


CLI (x3-pad)> parameters 


CLI (x3-pad-parameters)> 01-escape-char { DLE | 


CLI (x3-pad-parameters)> 02-echo { NO | 


YES } 


CLI (x3-pad-parameters)> 03-send-char { NONE | 


CLI (x3-pad-parameters)> 04-send-timeout <0..255> 
CLI (x3-pad-parameters) > 05-pad-flow-control { NO 
CLI (x3-pad-parameters) > 06-pad-indication { No 
CLI (x3-pad-parameters)> O07-break { SEND 


CLI (x3-pad-parameters) > 09-cr-padding { NO | YES } 





CLI (x3-pad-parameters)> 12-terminal-flow-control { NO 


RESET 


Once all parameters whose change is required are set, enter ‘exit’. 


Step 3) 


To complete the configuration of the template, enter 'execute' and then ‘exit’. 


4.4.2.2.1.3 Example 


configure terminal 
virtual-template x3-pad 50 
init-from 3 

parameters 

04-send-timeout 50 
05-pad-flow-control YES 
07-break INTERRUPT 
12-terminal-—flow-control YES 
exit 

execute 

exit 

exit 


4.4.2.2.2  V.28 Interface Configuration 


First select the interface to configure (from the global configuration mode): 


CLI (configure)> interface serial { 2/1 
4.4.2.2.2.1 Physical Layer Configuration 


Underlined parameters are default values. 


2/2 } 


CR | ANY } 


INTERRUPT } 


If you wish to change parameters of the physical layer of the V.28 interface, enter the following command 


in interface configuration mode: 
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CLI (config-if)> physical-layer 





CLI (ph_layer)> async 


The following parameters are configurable. 
To set the interface speed in bit per second, use the following command: 
CLI (async)> rate {300| 600] 1200| 2400| 4800| 9600] 38400] 57600| 115200} 


To provide the number of data bits per byte, use the following command: 
CLI (async)> data-bit {5 | 6|7| 8 } 


To set the parity check type of characters, use the following command: 


CLI (async)> parity { none | even | forced-to-0 | forced-to-1 } 


To set the number of stop bits, use the following command: 
CLI (async)> stop-bit { 1 | 2 } 


To set the number of characters in the receive buffer, use the following command: 


CLI (async)> receive-buffer-size <1..128> 


To set the type of flow control, use the following command: 
CLI (async)> flow-control { none | hardware | xon-xoff | both } 
To configure the management of received ‘breaks’, use the following command; 'none' means the 'break' 


signal is ignored, 'incoming' means the received 'breaks' are transferred as NULL characters in the 
receive buffer. The OneOS software does not generate any ‘break’. 


CLI (async)> break { none | incoming } 


Enter exit 2 times once the configuration of the asynchronous level is finished: 


CLI (async)> exit 
CLI (ph_layer)> exit 
CLI (config-if)> 


4.4.2.2.2.2 PAD <---> X.25 Layer Configuration 


To allow the serial interface to support the PAD, enter PAD as the argument for ‘encapsulation’: 


CLI (config-if)> encapsulation pad 


Then, select the PAD profile: 
CLI (pad)> x3-profile <profile-id> 


Where the profile-id has the following values: 
e Standard X.3 profile, the support values are: from 0 to 8, from 10 to 13, 15, 22 


e User-defined profiles, from 24 to 89 (it must have been created previously) 


A X.121 address can be associated with the interface. It will be used as calling address in the XOT packet, 
when the call is initiated by the PAD: 


CLI (pad)> [no] x121 <x121-address> 
When the PAD must set up the XOT connection, an automatic call must be configured. If the call is not 


successful, the call is tried again in an infinite loop after a delay. The delay is chosen randomly between 10 
and 60 seconds. The call is parameterized with a call string detailed hereafter: 


CLI (pad)> [no] automatic-call [[[[ <facility-#1>[[[,<facility—#2>], 
<facility—-#n>]-<called-x121-address>[D<user-data>] 


<user-data> is a string with 0 to 12 characters (without '+', backspace or carriage return). As shown 
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above, the facility list is provided separated by commas without space. The X.121 address is preceded by 
the '-' character without space. The facilities are written as follows: 


e N<nui>: indicates the Network User Identifier (1 to 6 characters) 
e R: indicates Reverse charging (the called PAD is charged, instead of the caller) 


e G<0..99>: indicates the Closed User Group (CUG) 


Example: automatic-call Nabc123,R,G18-80000021D00GG00 


You can then define the mapping between NUI (Network User Identifier) and NUA (Network User 
Address). First, enter in NUI list configuration: 


CLI (pad)> [no] nui-list 
CLI (pad-nui-list) > 


Then, configure the NUI-NUA couples as follows: 


CLI (pad-nui-list)> [no] nui-nua <nui>.<nua-x121> 


<nui> is a string of 16 characters maximum. Enter 'exit', when all NUI-NUA mappings are configured. 
Enter ‘exit’ again when you have completed the configuration of the PAD encapsulation. 


If you need to adjust XOT parameters, use the ‘packet dce' command. However, some default values 
are usually acceptable and you do not have to change these values. The default values are equivalent to 
the following script: 


packet dce 
lic 
hic 
ltc 
htc 
loc 
hoc 
no subscribe packet size 
ips 128 

ops 128 

no subscribe window-size 
win 4 

wout 2 

exit 


OoOrRRrROO 


If all parameters are configured, enter execute, then exit. 


4.4.2.2.2.3 Statistics 


To view the serial interface configuration and default values, use the following command: 


CLI> show configuration interface serial <slot>/<port> 


To display the interface statistics, the syntax is: 


CLI> show statistics serial <slot>/<port> 
CLI> show vxx <slot>/<port> 


To display X.3 virtual templates: 


CLI> show virtual-template x3-pad <template-id> 


To display information on X.25/PAD status: 
CLI> show X25 
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4.4.2.2.2.4 Example 


configure terminal 
interface serial 2/1 
physical-layer 
async 

rate 57600 

data-bit 8 

parity NONE 

stop-bit 1 
flow-control BOTH 
exit 

exit 

encapsulation pad 
x3-profile 50 
x121-address 80000021 
exit 

execute 

no shutdown 

exit 

exit 
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4.4.3 X25 over ISDN (X31) 


The purpose of X.25 over ISDN (ITU-T X.31) is to transport X.25 packets over ISDN networks. OneOS 
provides an X.31 Gateway function to allow X.25 communications through an ISDN link. Adding to that, 
using XOT (see 4.4.2) the X.25 backbone network is replaced by IP networks enabling the use of a single 
infrastructure type enabling the convergence of multiple protocols and applications. 


As of V4.2R5 software release, the X.25 communication has to be established using only the D 
channel of an ISDN BRI interface configured in VoIP mode and there can be up to 4 PLL. 





















X.31 : 
Terminal X31/XOT X31/XO 
7 Gateway 
X.25 over ISDN TCP/XOT X.25 over ISDN 
eee eee 


4.4.3.1 | Configuration commands 


Note that the X31 configuration is only available after having entered, using the sw-right command, the 
license key dedicated to your OneOS-based router and corresponding to the software license you bought 
(X31 license). 


The X31 gateway configuration requires several configuration steps: 

e ISDN D channel interface configuration (permanent logical link configuration) 
e X.25 Layer-3 configuration (virtual template configuration) 

e X.25 D channel interface configuration (X.31 configuration) 


e = =X.121 <---> X.25 D channel interface routing 


4.4.3.1.1 ISDN D channel interface 


The permanent logical links (PLL) are declared and configured under ISDN in BRI interface mode. 
In global configuration mode, enter in BRI configuration mode: 


CLI (configure)> interface bri <slot>/<port> 


The BRI interface can be started or shutdown: 


CLI (conf-if)> [no] shutdown 


Then enter in ISDN configuration mode to configure the PLL. Each PLL is defined by its static TEI number. 
The LAPD parameters are common to all PLL (refer to 4.3.7.2.1 for more information about LAPD 
parameters configuration). 





CLI (conf-if)> isdn 

CLI (isdn)> permanent-logical-link 

CLI (conf-pll)> k-window <1..128> (default = 7 ) 
CLI (conf-p1ll)> modulo-window <8|128> (default = 128) 
CLI (conf-p1ll)> n200-counter <1..20> (default = 3 ) 
CLI (conf-pll)> t200-timer <0..63) (default = 1 ) 
CLI (conf-pll)> t203-timer <0..63) (default = 10 ) 
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conf-pll)> [no] pll { 1 63> 
conf-pll)> exit 


I ( |} 2 | 
I ( 

I(isdn)> exit 

I( 

I( 


3 | 4 } tei <0. 


conf-if)> exit 
configure) > 


PORES 





4.4.3.1.2 X.25 layer 3 template 


Templates are used to ease the configuration of X.25 layer 3 parameters. They contain a set of common 
parameters that can be shared across multiple X.31 interfaces. 


To create and configure an X.25 layer-3 template, enter the following command in global configuration 
mode (refer to 4.4.2.1.3 for more information about X.25 layer-3 parameters configuration). 








CLI (configure) > virtual-template x25-layer3 <id:1..32> 

CLI (x25-layer-3)> packet { dte | dce } 

CLI (x25-layer-3)> { disable | enable } lcn0-as-—incoming 

CLI (x25-layer-3)> { disable | enable } lcn0-as-outgoing 

CLI (x25-layer-3)> { disable | enable } lcn0-as-—two-way 

CLI (x25-layer-3)> lic <0..4095> 

CLI (x25-layer-3)> hic <0..4095> 

CLI (x25-layer-3)> 1Ite <0..4095> 

CLI (x25-layer-3)> hte <0..4095> 

CLI (x25-layer-3)> loc <0..4095> 

CLI (x25-layer-3)> hoc <0..4095> 

CLI (x25-layer-3)> [no] cug <0..99> 

CLI (x25-layer-3)> [no] x25-address <x121-address> 

CLI (x25-layer-3)> [no] x25-outgoing convert called-address <match-mask> 
[<replacement-string>] 

CLI (x25-layer-3)> [no] x25-outgoing convert cug <0..99> to <0.99> 

CLI (x25-layer-3)> [no] x25-outgoing insert cug <0..99> 

CLI (x25-layer-3)> [no] x25-outgoing suppress called-address 

CLI (x25-layer-3)> [no] x25-outgoing suppress calling-address 

CLI (x25-layer-3)> [no] x25-incoming convert calling-address <match-mask> 
[<replacement-string>] 

CLI (x25-layer-3)> [no] X25-incoming convert cug <0..99> to <0..99> 

CLI (x25-layer-3)> [no] X25-incoming insert cug <0..99> 

CLI (x25-layer-3)> ips { 16 | 32 | 64 | 128 | 256 | 512 | 1024 } 

CLI (x25-layer-3)> ops { 16 | 32 | 64 | 128 | 256 | 512 | 1024 } 

CLI (x25-layer-3)> win <1..7> 

CLI (x25-layer-3)> wout <1..7> 

CLI (x25-layer-3)> [no] subscribe packet-size 

CLI (x25-layer-3)> [no] subscribe window-size 

CLI (x25-layer-3)> exit 

CLI (configure) > 


Note: editing an X.25 layer-3 template causes the restart of layer 3 of the X.31 interfaces using it. 


To delete an X.25 layer-3 template, enter the following command in global configuration mode: 


CLI (configure)> no virtual-template x25-layer3 <id:1..32> 


Note: the X.25 layer-3 template will not be deleted if it is used by an X.31 interface. 


4.4.3.1.3. X.25 D channel interface (X.31 interface) 


An X.31 interface (X.25 over D channel interface) consists of the association of a BRI sub-interface, of a 
PLL (defined under permanent-logical-1link) and of an X.25 layer-3 profile (defined under virtual- 
template x25-layer3). 





To create an X.31 interface, use the following commands: 


C 
C 


LI (configure)> interface x25-dchannel <slot/port.sub-interface> 
LI (conf-if)> permanent-logical-link <pll-number> 
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CLI (conf-if)> x25-layer-3 profile <id> 
CLI (conf-if)> exit 





slot/port represents the BRI interface the D channel of which will carry X.25 data while sub- 
interface Is an arbitrary number between 1 and 255 that represents the X.31 interface. 


To remove an X.31 interface, use the no form of the above command: 


CLI (configure)> no interface x25-dchannel <slot/port.sub-interface> 


Note: removing the X.31 interface does not remove either the PLL or the layer-3 template. 


4.4.3.1.4 X.31 interface routing 


The X.25 routing enables to redirect X.25 calls to an output interface especially the X.31 interface. 


A call packet cannot be redirected on the interface that it is originating from. The configuration commands 
follow. To enter in X.25 routing configuration, enter: 


CLI (configure)> [no] route x25 


Then select an X.121 address that you want to attach an output X.31 interface afterwards: 


CLI (route-x25)> [no] x121 <x121-pattern> 


The pattern entered can be an X.121 number (example: 700011) or a number with a wild card (example: 
7000* means all numbers starting with 7000). Any call with an X.121 number matching this entry is routed 
on the output interface 


CLI (route-x25)> [no] x25-dchannel <slot/port.sub-interface> 


Then enter exit and create the next X.121 entry if needed. Once you have finished the X.25 routing 
configuration, enter execute. 


The routing sorts the entries out from the most discriminating number (longest number without ™') to the 
least discriminating number ('*'). The routing is made by matching call packets with the sorted entries. 


Refer to 4.4.2.1.4 for more information about X.25 routing. 
Example: 


route x25 

x121 9000* 
x25-dchannel 5/0.1 
exit 

execute 

exit 


4.4.3.1.5 Statistics and Configuration Display 


To display all configuration parameters of the X.31 interface, including default values, use the following 
commands. 


To display the X.25 layer-3 template configuration, use: 


CLI> show virtual-template x25-layer3 <id> 


Example: 


CLI> show virtual-template x25-layer3 1 
PACKET DCE : X121 address = 600000 

no incoming circuits 
0008 two ways circuits from 0001 to 0008 
no outgoing circuits 
default packet length 128 (input) 128 (output) 
default packet windows 2 (input) 2 (output) 
option [subscribe packet size negociation] is set 
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option [subscribe window size negociation] is set 
OUTGOING CALLS OPTIONS 
option [convert called address] is not set 
option [remove called address] is not set 
option [remove calling address] is not set 
option [insert CUG] is not set 
no CUG to convert on outgoing call 
INCOMING CALLS OPTIONS 
option [convert calling address] is not set 
option [insert CUG] is not set 
no CUG to check on incoming call 
no CUG to convert on incoming call 
CLI> 
To display the permanent logical link configuration, use: 
CLI> show voice voice-port bri { all | index <index> } 
Example: 
CLI> show voice voice-port bri index 0 
voice port 5/0 
protocol descriptor BRI_TE 
config state up 
layer 1 status deactivated 
layer 2 status TEI , status 
permanent-—logical-link tei , ces , state , status 
LLP 1 32.5 9, - 7 OFF 
attached voip dial peer 0 
number of voice communication 0 
Channel (s) used 
To display the X.31 interface statistics, use the following command: 
CLI> show statistics x25 [|WORD] 
Statistics for X25 D channel interface 5/0.1 
Statistics for PACKET LAYER 
[ CALL J] [ CLEAR J] [ RESTART ] 
.start .lastread .start .lastread .start .lastread 
Tx 0 0 0 0 0 0 
Rx 0 0 0 0 0 0 
[ CALL CONF 14k CLEAR CONF J] [ RESTART CONF ] 
.start .lastread .start -lastread .start .lastread 
Tx 0 0 0 0 0 0 
Rx 0 0 0 0 0 0 
[ DATA ] [ RESET ] [ INTERRUPT ] 
-start -lastread .start .lastread .start .lastread 
Tx 0 0 0 0 0 0 
Rx 0 0 0 0 0 0 
[ RR 1 HE RESET CONE if INTR. CONF ] 
-start .lastread .start .lastread .start .lastread 
Tx 0 0 0 0 0 0 
Rx 0 0 0 0 0 0 
[ DIAG dt él UNKNOWN i i RNR ] 
-start .-lastread .start -lastread .start .lastread 
Rx : 0 0 0 0 0 0 
Number of incoming CALL with bad CUG 0 0 
Number of incoming CALL with no CUG 0 0 
To see the X.31 active connections status, use the following command: 
CLI> show x25 
+ 





Page 4.4-260 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


X25 D channel 5/0.1 





Packet Layer is DOWN ( Lower Layer DOWN ) 
Logical Channels in use 0 








XOT (X25 Over Tcp) interface 





Packet Layer is UP 
Logical Channels in use 0 











The X.31 interface status is displayed as follows: 


CLI> show interfaces x25-dchannel <slot/port.sub-interface> 


Example: 


CLI> show interfaces x25-dchannel 5/0.1 

x25-dchannel 5/0.1 is allocated, line protocol is started 
Layer 3 template ID 1 
Packet Layer is DOWN ( Lower Layer DOWN ) 


The X.25 routing table is printed as follows: 


CLI> show x25 route 





X25 route : 3 routes 

x121 600010* routed to XOT 

x121 9000000* routed to interface x25-dchannel 5/0.1 
x121 90000 routed to XOT 





4.4.3.1.6 | Debug and Traces 


The following command restarts the X31 interface: 


CLI> x25 restart interface x25-dchannel <slot/port.sub-interface> 


See 4.4.2.1.7 for more debug and trace commands. 


4.4.3.1.7 | Configuration Example 


The following example provides the configuration of an OneOS-based router including an X.31 gateway 
whose X.121 address is 600000. Its Ethernet interface (220.12.1.23) is connected to an IP network. An 
X.31 device (X.25 over ISDN) whose X.121 address is 900000 is represented on the left-hand side of the 
diagram. On the IP network, we find an XOT gateway those IP address is 220.12.1.24 and that manages 
the X.121 address 600010. See 4.4.2.1.8 as an XOT example. 


















X.31 
Terminal 220.12.1.23 220.12.1.24 
Cy IP Network 7 raat 
= X.25 over a Dede 
ISDN 
X.121@ = X.121@ = X.121@ = 
900000 600000 600010 


CLI> show running-config 
Building configuration... 


Current configuration: 


Page 4.4-261 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


hostname CLI 
interface FastEthernet 0/0 
ip address 220.12.1.23 255.255.255.0 
exit 
virtual-template x25-layer3 1 
packet DCE 
x25-address 600000 
exit 
interface bri 5/0 
isdn 
application-interface voip 
permanent—logical-—link 
llp 1 tei 32 
exit 
exit 
no shutdown 
execute 
exit 
route xot 
x121 600010* 
ip 220.12.1.24 
exit 
execute 
exit 
route x25 
x121 600010* 
xot 
exit 
x121 9000000* 
x25-dchannel 5/0.1 
exit 
x121 90000 
xot 
exit 
execute 
exit 
interface x25-dchannel 5/0.1 
permanent-logical-link 1 
x25-layer3 profile 1 
exit 
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4.5 


4.5.1 


4.5.1.1 


4.5.1.2 


4.5.1.3 


4.5.1.4 


IP ADDRESSING AND ROUTING 


This section describes the main features of the IP stack and its configuration. For advanced features such 
as Access Control Lists (ACL), NAT, and QoS, please refer to the appropriate sections for detailed 
information. 


Features 


The IP stack implements the Internet Protocol (IP), Internet Control Message Protocol (ICMP), Internet 
Group Management Protocol (IGMP), Address Resolution Protocol (ARP), Transmission Control Protocol 
(TCP), User Datagram Protocol (UDP), and Routing Information Protocol (RIP), as well as a number of 
advanced features including Access Control Lists (ACL), Network address Translator (NAT), and 
Differentiated Services (DiffServ). The IP stack has been implemented with optimal manageability and 
ease of configuration in mind. 


The implementation of the IP stack conforms to the standards defined by different standards organizations 
such as the IETF. The main features of the IP stack are outlined below. 


Variable Length Subnet Mask (VLSM) 


As defined in RFC 1878, VLSM enables set up of sub-networks by using a mask that differs from the Class 
A, B, C network mask. This feature can be useful in corporate networks for a flexible definition of corporate 
address space. 


Classless Inter-Domain Routing (CIDR) 


CIDR was introduced in mid 1990's to circumvent the problem of IP address exhaustion that was due to 
the rapid growth of the Internet. As defined in RFC 1519, when using CIDR, the address space of any 
traditional class (class A in particular) can be broken down into smaller address segments. This allows for 
more efficient use of the existing larger address spaces such as those found in Class A. 


The implication in using CIDR is that the routing infrastructure should allow for the use of an arbitrary (most 
often longer) mask instead of that derived from the class. 


IP Fast Forwarding 


To achieve high forwarding performance, IP fast-forwarding has been implemented to create a fast path for 
the most common IP packets except those, which require fragmentation or with specific options. It makes 
use of a route cache to accelerate routing table lookup and contains many other techniques to optimize 
fast forwarding processing. As a result, the overall forwarding performance is considerably improved. 
Advanced features such as QoS, ACL, and NAT are all implemented in fast path. 


Multiple Addresses per Interface 


Multiple addresses can be assigned to one network interface such that multiple logical networks can be 
supported on a single physical network. 
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4.5.1.5 Virtual Interfaces 


Virtual network interfaces are software interfaces that do not require a physical interface to run. Currently, 
virtual network interfaces include Loopback and Null interfaces. A Loopback interface loops all output 
packets back to IP. It can be used to virtually hold an IP address (not assigned to a physical port). The Null 
interface (much like the UNIX /dev/null device) discards all output packets and can be used to easily make 
routes unreachable (for example, to drop packets destined to 10.0.0.0/8, a user can add a route 10.0.0.0/8 
through the interface Null0). 


4.5.1.6 Static Routes 


Most often in small networks, it is sufficient to use static routes, (i.e., user-configured routes). Static routes 
can work together with dynamic routes. They can overwrite or be overwritten by dynamic routes. Static 
routes are maintained separately so that they can be installed to or removed from the routing table when 
network conditions change. 


4.5.1.7 | Equal Cost Multi-Path Routing (ECMP) 


When several static routes have an equal metric but different destinations (or gateway/interfaces), ECMP 
is activated. Two modes are available depending on a global configuration parameter. 


Per destination (default mode): a hashing is made on the source/destination address to select the path. At 
first sight, the load sharing is loosely “source + destination” based load sharing. The reason for using 
‘loosely’ is: the route cache is checked before the ECMP processing. The route cache only contains a 
reference to outbound path and destination IP (not source IP). That means two flows with the same 
destination IP but different source will take the same path once the path is in route cache. 


Per packet: packets are sent over successive equal cost paths without regard to individual destination 
hosts or user sessions. That means two flows with the same destination IP might take different paths and 
might arrive out of order. 


4.5.1.8 | Dynamic Routing 


Routing protocols such as RIP (Routing Information Protocol) can be used to exchange routing information 
among routers. Currently supported routing protocols are only suitable for use inside one administrative 
domain. Refer to the appropriate section for more information. 


4.5.1.9 IP Packet Processing Path 


The following diagram shows the sequence of processing that can be applied to packets routed by 
OneOS. This sequence is important, in that NAT or access lists can modify packets such that some 
processing becomes either inefficient or no more used. 
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4.5.2 Configuration Commands 


The parameter values given in the configuration commands are all informal. - Users should replace them 
with the appropriate values. 


4.5.2.1 IP Address 


To assign an IP address to an interface, use the following command in interface configuration mode (router 
shell): 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip address <ip-address> [<netmask>] [secondary] 





The ip-address and netmask should be given in the common dotted format, i.e., 10.10.10.1 or 
255.255.0.0. If the netmask is not given, it will be derived from the class of the given addresses. If the 
keyword secondary is present, the given address will be appended to the interface address list. 
Otherwise the address replaces the first address in the list (if it exists). 


To delete an address, use the no form of the above-referenced command. To delete all IP addresses or 
mark the interface that should not have any IP address, use the following command: 


CLI (config-if)> no ip address 
4.5.2.2 IP Broadcast Address 


To change the IP broadcast address of an interface, use the following command in interface configuration 
mode: 


CLI (config-if)> ip broadcast-address <ip-address> 


The default broadcast address is the network address with host part set to all ones. To return to the default 
value, use the following command: 


CLI (config-if)> default ip broadcast-—address 
4.5.2.3 IP MTU 


To change the IP MTU value, use the following command in interface configuration mode: 


CLI (config-if)> ip mtu <bytes> 


To return to the default MTU value, use the following command: 





CLI (config-if)> default ip mtu 
4.5.2.4 Enable IP Forwarding 


To enable IP forwarding, use the following command in global configuration mode: 


CLI (configure)> ip routing 


To disable IP forwarding, use the no form of the above-referenced command. IP forwarding is enabled by 
default. 


4.5.2.5 Static Routes 


To add a static route for any destination, use the following command in global configuration mode: 
CLI(configure)> [no] ip route <destination> <netmask> { <gateway> | 


<interface> } [<distance>] 


Either gateway or interface (such aS 'atm 0.1") must be given in the command. The distance (from 
1 to 255) is optional and used in multi-path routes (see below). The administrative distance is the 
preference criterion to determine which routing protocol is entitled to install a route in case of conflict. 
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Reminder of the default administrative distance: 














Protocol Default Administrative 
Distance 

Static 1 

E-BGP 20 

OSPF 80 

RIP 120 

|-BGP 200 














In addition to the distance parameter, the best route is selected by comparing a metric parameter. The 
metric is generally computed by the IGP/EGP routing protocol. Static routes and directly connected routes 
have a metric equal to zero. If two routes have the same distance and metric, hash-based load sharing 
applies. 


To add a default route through a gateway, use the following command: 
CLI (configure)> ip route 0.0.0.0 0.0.0.0 <gateway> 
Static routes are maintained in a separate database until they are explicitly deleted by the user. Once a 


static route becomes usable, it is put into the IP routing table. Similarly when a static route becomes 
unusable due to a change in network interfaces, it is automatically removed from the routing table. 


To delete a static route, use the ‘no' form of the above-referenced command. 
4.5.2.6 | Multi-path Routes 


IP multi-path routes are meant multiple routes to the same destination. In the current implementation, IP 
multi-path routes are mainly used to provide backup routes to the primary route when the latter gets down. 
A router is required to make appropriate decision on which route should be selected to forward packets 
destined to a given destination. To configure multi-path routes, one can enter, for example, the following 
commands in global configuration mode: 


CLI (configure)> ip route 10.1.1.0 255.255.255.0 192.168.2.1 2 
CLI (configure)> ip route 10.1.1.0 255.255.255.0 192.168.3.3 10 


If the two routes are both eligible (outgoing interface is up), the route with the least metric is chosen, that 
is, the first route. If the outgoing interface of the first route goes down for any reason, the second route will 
be chosen. In practice, ISDN is commonly used as a backup interface. 


If the first route is up again, traffic will be redirected to that route. The link of the backup route could be 
shutdown upon idle timeout, for example, the case that the two routes are of the same metric, the first 
route in configuration order will be chosen. 


4.5.2.7 Flow based Load Sharing 


To set the load sharing mode, use the following command in global configuration mode: 


CLI (configure)> ip load-sharing { per-destination | per-packet } 


per-destination is the default mode (default value). 
4.5.2.8 Static ARP Entry 


To set a static ARP entry for an IP address, use the following command in global configuration mode: 


CLI (configure)> arp <ip-address> <hardware-address> arpa 


The hardware address is specified in a common format, for example, 08:00:01:02:03:04. A route to the 
given IP address must exist in the routing table, or otherwise this command will fail. 


To delete an ARP entry, use the no form of the above-referenced command. 
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4.5.2.9 ARP Timeout 


To change the ARP timeout value, use the following command in interface configuration mode: 


CLI (config-if)> arp timeout <seconds> 


The default value is 7200 seconds (120 minutes). To return to the default value, use the command: 





CLI (config-if)> default arp timeout 
4.5.2.10 Domain Name Server 


To set the domain name, use the following command in global configuration mode: 


CLI (configure)> ip domain-name <your-domain> 


To set the name server addresses (up to 3), use the following command: 


CLI (configure)> ip name-server <dns-address> [dns-address] [dns-address] 


To delete the IP domain name or IP name server, use the ‘no' form of the above-referenced commands. 
4.5.2.11 Host Name/Address Binding 


Use the following command in global configuration mode to create a host name/address binding: 


CLI (configure)> ip host <hostname> <ip-address> 


To delete a host name/address binding, use the ‘no’ form of the above-referenced command. 
4.5.2.12 Enable IP Route Cache 


To enable IP route cache, use the following command in global configuration mode: 


CLI (configure)> ip route-cache 


By default, IP route cache is enabled. To disable IP route cache, use the 'no' form of the above-referenced 
command. 


4.5.2.13 Shutting Down an Interface 


To shutdown an interface (no longer able to receive and send packets), use the following command in 
interface configuration mode: 


CLI (config-if)> shutdown 


To restart the interface, use the ‘no' form of the above-referenced command. 


If an interface is shutdown, the address or addresses assigned to that interface will be unreachable, that 
means, if one pings one of the interface addresses, it will not work. 


4.5.2.14 ICMP Redirect 


To send ICMP redirect messages, use the following command in global configuration mode: 


CLI (configure)> ip icmp redirect 


The default is to send ICMP redirect messages. To disable it, use the ‘no' form of the above-referenced 
command. 


4.5.2.15 ICMP Unreachable 
To enable the sending of ICMP unreachable messages, use the following command in interface 


configuration mode: 


CLI (config-if)> ip unreachables 
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The default is to send ICMP unreachable messages. To disable it, use the ‘no' form of the above- 
referenced command. 


4.5.2.16 Virtual Interfaces 


Loopback interfaces can be created or deleted using configuration commands. Loopback0O is automatically 
created by the system and cannot be modified by user. To create a new Loopback interface, use the 
following command in global configuration mode: 


CLI (configure)> interface Loopback <unit> 
The unit number should be any number greater than 0. This command, if successful, will enter into 


interface configuration mode. Then user can use the IP interface configuration commands to set the IP 
address or any other parameters. To delete a Loopback interface, use the command: 


CLI (configure)> no interface Loopback <unit> 


Note that the Null interface is not configurable and is always present in the system. 
4.5.2.17_ TCP connections supervision 


TCP connections (network connections) are supervised by OneOS at establishment of the connections as 
well as all through the connections to detect idle conditions. 


At network connection establishment OneOS sends a SYN packet and by default waits the answer for 
6 seconds. If no answer is received, OneOS resends a SYN packet and waits the answer for 2 times 
6 seconds; and so on by default 3 times doubling the period of time each attempt. This allows a networks 
connection to be established by default within 90 seconds (6+12+24+48). 


To modify the initial timeout and the number of retries values use the following commands in global 
configuration mode: 


CLI (configure)> ip tep syn initial-timeout <2-64 even; default 6 seconds> 
CLI (configure)> ip tep syn retries <1-10; default 3 retries> 


To restore the default values use the following commands: 


CLI (configure)> default ip tcp syn initial-timeout 





CLI (configure)> default ip tcp syn retries 


All through the network connection when no packet is sent or receive for 75 seconds (default value), 
OneOS sends an ACK packet and by default waits the answer for another 75 seconds. If no answer is 
received after 8 attempts (default value) the TCP connection is released. 


To modify the timeout and the number of retries values use the following commands in global configuration 
mode: 


CLI (configure)> ip tcp keepalive timeout <1-3600; default 75 seconds> 





CLI (configure)> ip tep keepalive retries <0-20; default 8 retries> 


To restore the default values use the following commands: 


CLI (configure)> default ip tcp keepalive timeout 





CLI (configure)> default ip tcp keepalive retries 
4.5.2.18 TCP MSS Adjustment 


It is common that network interface of any type supports MTU (Maximum Transmission Unit) larger than or 
equal to 1500 bytes, the MTU value used in LANs. However it is more and more often the case that some 
interfaces such as PPPoE and VLAN have a MTU less than 1500 bytes. In general, with IP Path MTU 
discovery, end hosts will adapt TCP MSS (Maximum Segment Size) to meet the smallest MTU along the 
path. A problem is that the PMTU discovery makes use of ICMP error messages to report the MTU to use 
and a lot of organizations have a firewall to filter out such messages. As a result, the source continues to 
send 1500 byte packets with the DF bit set (Don't Fragment, used along with PMTU) in the IP header, and 
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these packets are all dropped by the router. 


To overcome this problem, TCP MSS adjustment can be used to change TCP MSS value in TCP SYN 
packets such that subsequent TCP packets will not exceed the MTU of the interface in question. To apply 
TCP MSS adjustment, use the following command in interface configuration mode: 


CLI (config-if)> ip tcp adjust-mss <bytes> 
The maximum value allowed is the interface MTU minus the minimum TCP/IP header size, 40 bytes. For 
example, for PPPoE interface, one could use the value 1452. 


To disable TCP MSS adjustment, use the no form of the above-referenced command. 
4.5.2.19 IP Helper Address 


Helper addresses is a feature that permits to forward broadcast packets received from an interface to a 
named server address. For example, DHCP packets received on interface Ethernet are altered so that the 
new destination address is the address of the declared server address; then packets are routed to the 
server address. 


To declare a server address on an interface, so that all received broadcast packets are redirected to that 
server, use the following command in interface configuration mode: 


CLI (config-if)> ip helper-address <A.B.C.D> 
It is possible to configure several server addresses so that packets are redirected to both server 
addresses. 
Forwarded packets are only UDP packets and by default only for the following ports: 


- 37: Time protocol 

- 42: Host Name Server / WINS 

- 49: TACACS - Login Host Protocol 

- 53: Domain Name Service (DNS) 

- 67: BOOTP Server - Bootstrap Protocol Server / DHCP 
- 68: BOOTP Client - Bootstrap Protocol Client / DHCP 

- 69: TFTP - Trivial File Transfer Protocol 

- 137: NETBIOS Name Service 

- 138: NETBIOS Datagram Service 


To disable a server address, use the no form of the command: 


CLI (config-if)> no ip helper-address <A.B.C.D> 


To add a specific protocol to be forwarded, use the following command in configuration mode: 


CLI (configure)> ip forward-protocol udp <1-65535> 


To remove a specific protocol to be forwarded, use the no form of the command: 


CLI (configure)> no ip forward-protocol udp <1-65535> 
4.5.2.20 ARP Proxy 


Certain stations are not able to support CIDR subnets, which do not fall in standard class A/B/C network 
ranges. In the event, the LAN subnet (e.g. 255.255.255.248) is smaller than the network configured on the 
workstation (e.g. 255.255.255.0), the station sends ARP requests on the LAN for IP addresses outside the 
subnet. Without ARP proxy, no equipment should respond. 


The ARP proxy function catches the ARP request destined to IP addresses outside the subnet and spoofs 
the answer as if the router was the actual workstation. Then the workstation sends packets with the router 
MAC address as destination. 


ARP proxy is disabled by default. To enable the ARP proxy (from interface configuration mode): 
CLI (config-if)> ip proxy-arp 


To disable ARP proxy: 


CLI (config-if)> no ip proxy-arp 
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4.5.3 Configuration Example 


The following configuration example of a small network illustrates a connection to the Internet via a DSL 
line. Only static routes are used in this example. 
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At Router A, a PVC to the router 50.0.0.3 is set up for an Internet connection. On that connection, IP NAT 
is configured to use interface address overloading (address/port translation). One static route 192.168.3.0 
is configured to interconnect another private network. Two static routes are configured to avoid sending 
packets destined to private addresses to the Internet (dropped by Null 0). One default route is set up 
through 50.0.0.3, which is generally a router operated by the service provider. 


interface Ethernet 0/0 

ip address 192.168.2.1 255.255.255.0 
exit 

interface FastEthernet 0/0 

ip address 192.168.1.1 255.255.255.0 
exit 

interface Atm 0.1 

pve ipoa vpi 0 vci 32 

ip address 50.0.0.4 255.255.255.0 
execute 

exit 

ip nat inside overload 

exit 

ip route 192.168.3.0 255.255.255.0 192.168.1.2 
ip route 10.0.0.0 255.0.0.0 Null 0 

ip route 172.16.0.0 255.240.0.0 Null 0 
ip route 192.168.0.0 255.255.0.0 Null 0 
ip route 0.0.0.0 0.0.0.0 50.0.0.3 


The configuration of Router B: 


interface Ethernet 0/0 

ip address 192.168.3.1 255.255.255.0 
exit 

interface FastEthernet 0/0 

ip address 192.168.1.2 255.255.255.0 
exit 

ip route 0.0.0.0 0.0.0.0 192.168.1.1 


4.5.4 Statistics 


Use the following commands to display the ARP table and statistics: 


CLI> show arp 
Protocol address Hardware address Age (min) Interface Type 
20.1.1.44 00:80:c8:c9:a6:85 19 FastEthernet 0/0 ARPA 
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192.168.2.7 00:00:3b:80:1f:ca 2 Ethernet 0/0 ARPA 
192.168.2.11 00:00:92:a7:d0:ec 19 Ethernet 0/0 ARPA 
CLI> show arp statistics 

ARP statistics: 

IN: 512 requests, 4 replies, 0 discards 

0 packets in queue, 0 queue drops 

OUT: 5 requests, 0 replies 








6 local resolution attempts (0 failures) 
prune timer 60 sec, hold timer 1200 sec, keep-down timer 20 sec 
retransmission timer 1 sec, max tries 5 


Use the following command to display the interface table (if an interface name is specified only the 
parameters of that interface are displayed): 


CLI> show interfaces 

Ethernet 0/0 is up, line protocol is up 

Flags: (0x8063) BROADCAST MULTICAST ARP, interface index is 1 
Encapsulation: 802.3 

Hardware address is 08:00:5l:ef:fa:ce, ARP timeout 1200 sec 
Internet address is 192.168.2.1, broadcast address is 192.168.2.255 
TU 1500 bytes, line speed 10000 kb/s, bandwidth limit 10000 kb/s 
Output queuing strategy: fifo, output queue length/depth 0/50 
IN: 201612 packets, 12103580 bytes 

201612 unicast packets, 0 non-unicast packets 

18 unknown protocols, 0 errors, 6 discards, 0 queue drops 

OUT: 201477 packets, 10132769 bytes 

201477 unicast packets, O non-unicast packets 

0 errors, 0 discards, 0 queue drops 

Loopback 0 is up 

Flags: (0x80e9) LOOPBACK MULTICAST, interface index is 9902 
Internet address is 127.0.0.1 

MTU 32768 bytes, line speed unknown 

Output queuing strategy: fifo, output queue length/depth 0/50 
IN: 0 packets, O bytes, 0 non-unicast packets 

O unknown protocols, 0 errors, O queue drops 

OUT: O packets, O bytes, O non-unicast packets 

0 errors 

Null 0 is up 

Flags: (0x80e1) MULTICAST, interface index is 9901 

MTU 32768 bytes, line speed unknown 

Output queuing strategy: fifo, output queue length/depth 0/50 
IN: 0 packets, 0 bytes, 0 non-unicast packets 

O unknown protocols, 0 errors, O queue drops 

OUT: O packets, O bytes, O non-unicast packets 

0 errors 

FastEthernet 0/0 is up, line protocol is up 

Flags: (0x8063) BROADCAST MULTICAST ARP, interface index is 101 
Hardware address is 08:00:51:fa:ca:de, ARP timeout 1200 sec 
Internet address is 192.168.1.1, broadcast address is 192.168.1.255 
Encapsulation: 802.3 

TU 1500 bytes, line speed 100000 kb/s, bandwidth limit 100000 kb/s 
Output queuing strategy: fifo, output queue length/depth 0/50 
IN: 117 packets, 7118 bytes 

1 unicast packets, 116 non-unicast packets 

O unknown protocols, 0 errors, 0 errors, 0 queue drops 

OUT: 3 packets, 98 bytes 

2 unicast packets, 1 non-unicast packets 

0 errors, O queue drops 

Atm 0.1 is up, line protocol is up 

Flags: (0x8023) BROADCAST MULTICAST, interface index is 20201 
Encapsulation: IP-over-Atm 

Internet address is 50.0.0.4 

TU 1500 bytes, line speed 2000 kb/s, bandwidth limit 2000 kb/s 
Output queuing strategy: cbhq 

IN: 200342 packets, 13625966 bytes 

200342 unicast packets, O non-unicast packets 

O unknown protocols, 0 discards, 0 errors, 0 queue drops 
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OUT: 200185 packets, 10012476 bytes 
200185 unicast packets, 0 non-unicast packets 
O errors, O queue drops 


Use the following command to display IP configuration parameters associated with an interface (if an 
interface name is given only the parameters of that interface are displayed): 


CLI> show ip interfaces 

thernet 0/0 is up 

nternet address is 192.168.2.1, broadcast address is 192.168.2.255 
TU is 1500, metric is 0 

Inbound access list not set 
Outgoing access list not set 

ICMP redirects are always sent 
ICMP unreachables are always sent 
ICMP mask replies are never sent 
Network address translation is disabled 
Input service policy not set 
Output service policy not set 
Reverse Path Forwarding disabled 
TCP MSS adjust not set 

Policy route map not set 

Loopback 0 is up 

Internet address is 127.0.0.1 

TU is 32768, metric is 0 

Inbound access list not set 
Outgoing access list not set 

ICMP redirects are always sent 
ICMP unreachables are always sent 
ICMP mask replies are never sent 
Network address translation is disabled 
Input service policy not set 
Output service policy not set 
Reverse Path Forwarding disabled 
TCP MSS adjust not set 

Policy route map not set 

Null 0 is up 

TU is 32768, metric is 0 

Inbound access list not set 
Outgoing access list not set 

ICMP redirects are always sent 
ICMP unreachables are always sent 
ICMP mask replies are never sent 
Network address translation is disabled 
Input service policy not set 
Output service policy not set 
Reverse Path Forwarding disabled 
TCP MSS adjust not set 

Policy route map not set 
FastEthernet 0/0 is up 

Internet address is 192.168.1.1, broadcast address is 192.168.1.255 
TU is 1500, metric is 0 

Inbound access list not set 
Outgoing access list not set 

ICMP redirects are always sent 
ICMP unreachables are always sent 
ICMP mask replies are never sent 
Network address translation is disabled 
Input service policy not set 
Output service policy not set 
Reverse Path Forwarding disabled 
TCP MSS adjust not set 

Policy route map not set 

Atm 0.1 is up 

Internet address is 50.0.0.4 

TU is 1500, metric is 0 

Inbound access list not set 
Outgoing access list not set 


H FI 


4 
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ICMP redirects are always sent 

ICMP unreachables are always sent 

ICMP mask replies are never sent 
Network address translation is disabled 
Input service policy not set 

Output service policy is demo 

Reverse Path Forwarding disabled 

TCP MSS adjust not set 

Policy route map not set 








To display the status of all interfaces, use the next command: 


CLI> show ip interface brief 


The text output of this command shows the status of all logical sub-interfaces. ‘STATUS’ is the 
administrative status (i.e. shutdown or not shutdown). ‘Protocol’ is the operational status. 


Use the following command to display the routing table: 


CLI> show ip route 
Codes: C connected, S static, R RIP, O OSPF, B BGP, o other 


default via 50.0.0.3, Atm 0.1 
20.1.1.0/24 is directly connected, FastEthernet 0/0 
50.0.0.0/24 is directly connected, Atm 0.1 
127.0.0.1/32 is directly connected, Loopback 0 
192.168.2.0/24 is directly connected, Ethernet 0/0 





QAaagAgARAAN 








Use the following command to display IP statistics: 


CLI> show ip statistics 

IP statistics: 

IN: 401611 total, 1348 local destination (0/0 queue lentgh/drops) 

0 too short, O bad header length, 0 bad total length 

0 bad version, O bad checksum, 0 can't forward 

2 unknown protocol, O discards 

0 fragments, 0 packets reassembled, 0 fragments dropped, 0 timeouts 
OUT: 400238 forwarded, 1146 local source 

0 no route, O no buffer, 3 discards 

QO packets fragmented, 0 can't fragment, O fragments created 





Use the following command to display ICMP statistics: 


CLI> show icmp statistics 

ICMP statistics: 

IN: O format errors, 0 checksum errors 

OQ redirects, 2 unreachable, 25 echo, 0 echo reply 

0 mask requests, 0 mask replies, 0 quench 

0 parameter problem, 0 timestamp, 0 info request, 0 other 

OUT: O redirects, 23 unreachable, 0 echo, 25 echo reply 

0 mask requests, 0 mask replies, 0 quench 

0 parameter problem, 0 timestamp, 0 info reply, 0 time exceeded 





Use the following command to display TCP statistics: 


CLI> show tcp statistics 

TCP statistics: 

IN: 1181 total 

Q checksum error, O bad offset, 0 too short 

673 packets (2220 bytes) in sequence 

QO dup packets (0 bytes) 

partially dup packets (0 bytes) 

out-of-order packets (0 bytes) 

packets (0 bytes) with data after window 
packets after clos 

window probe packets, 0 window update packets 
dup ack packets, 0 ack packets with unsend data 
644 ack packets (49357 bytes) 

OUT: 1183 total, 0 urgent packets 








aoovoodno 
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6 control packets 
638 data packets (49350 bytes) 

O data packets (0 bytes) retransmitted 
539 ack only packets (2 delayed) 

0 window probe packets, 


O window update packets 


6 connections established (including 2 initiated, 4 accepted) 


7 connections closed (including 0 dropped, 
0 connections dropped in rxmt timeout 


0 total rxmt timeout, 


0 embryonic dropped) 


connections 








0 keepaliv timeout, 0 keepaliv 


keepalive 


Use the following command to display UDP statistics: 


CLI> show udp statistics 
UDP statistics: 

IN: 232 total, O no port 
0 buffer-full drops 

0 checksum error, 
OUT: 4 total 


Use the following command to display IGMP statistics: 


CLI> show igmp statistics 
IGMP statistics: 

IN: 0 total, O too short, 
QO queries, O bad queries 
OQ reports, O bad reports, 
OUT: O reports 

Locally joined multicast groups: 
224.0.0.1/Ethernet 0/0 
224.0.0.1/Atm 0.1 
224.0.0.1/Loopback 0 
224.0.0.1/FastEthernet 0/0 








Use the following command to display all TCP/IP stack statistics: 


CLI> show ip traffic 


probe, 0 


(unicasts), 232 no port 


0 bad length, O too short 


0 checksum errors 


dropped in 


(broadcasts), 


0 reports for local groups 


To display information about TCP sockets running on the router, use the command: 


CLI> show tcp sessions 


To display information about UDP sockets running on the router, use the command: 


CLI> show udp sessions 


To clear interface input/output counters, use the command: 


CLI> clear counters [<interface-type> <unit>] 


If interface name is not given, all interface counters are reset. 


To clear IP counters, use the command: 


CLI> clear ip counters 


To clear TCP counters, use the command: 


CLI> clear tcp counters 


To clear UDP counters, use the command: 


CLI> clear udp counters 


To clear ARP cache, use the command: 


CLI> clear arp-cache 


To clear IP route cache, use the command: 


CLI> clear ip cache 
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4.5.5 Debug and Trace 


The following commands enable detailed traces for debugging IP modules. To enable IP routing 
debugging, use the following command in global mode: 


CLI> [no] debug ip routing 


To enable IP route cache debugging, use the following command in global mode: 


CLI> [no] debug ip cache 


To enable IP interface debugging, use the following command in global mode: 


CLI> [no] debug ip interface 


To enable Address Resolution protocol debugging, use the following command in global mode: 


CLI> [no] debug arp 


To disable the debugging of a protocol or module, use the no form of the corresponding command. To 
display the current debugging modules, use the command: 


CLI> show debug 
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4.6 TUNNELING ENCAPSULATION PROTOCOLS 


This section describes encapsulation protocols. 
4.6.1 Features 
4.6.1.1 GRE Encapsulation Protocol 


GRE is a technique that enables to encapsulate packets using a GRE encapsulation header. A GRE 
header has a variable-length header, depending of the options the header supports. 





Payload (IP packet) 





GRE header 


a 


C, K and S are optional flags, meaning that respective fields are present on the header: checksum, key 
and sequence number fields. 





Emitted packets are sent with a GRE header of at least 4-byte, while all flags are managed when receiving 
GRE packets. 


4.6.1.2. IP over IP Encapsulation Protocol 


An IP header is added with the assigned destination and source address required by the tunnel 
configuration. 


4.6.1.3. Path MTU Discovery (PMTUD) 


As defined in RFC 1191, PMTU prevents the fragmentation of IP packets along the path from the source to 
the destination. If fragmentation occurs along the path, it can considerably degrade the performance of 
TCP, particularly in the case of network congestion. 


When using tunnels, destination address of the tunnel can be routed through many routers until reaching 
the endpoint. PMTUD was developed to avoid fragmentation in the path between the endpoints. It 
determines dynamically the lowest MTU along the path from the packet source to its destination and 
applies the MTU to the tunnel interface MTU. 


4.6.1.4 IP Unnumbered 


This feature helps a tunnel interface to be considered as a routable interface, because it borrows the IP 
address of a specified interface. Both interfaces share the same address. There are two advantages in 
using unnumbered interfaces: 


1. Some IP addresses are saved: if a lot of devices need to be installed on a sub-network with a limited 
pool of addresses. 
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2. Routes learned through the IP unnumbered interface use the interface as next hop instead of the 
source address of the routing update. Thus, problems with invalid next hop address are avoided 
because the source of the routing update coming from a next hop is not directly connected. That is 
why only point-to-point interfaces can be unnumbered interfaces. 


4.6.2 Configuration Commands 


Tunnel interfaces can be created or deleted using configuration commands. To create a new tunnel 
interface, use the following command in global configuration mode: 


CLI (configure)> interface tunnel <unit> 
The unit number should be any number greater than 0. This command, if successful, will enter into 


interface configuration mode. Then user can use the IP interface configuration commands to set the IP 
address or any other parameters. To delete a Tunnel interface, use the command: 


CLI (configure)> no interface tunnel <unit> 
4.6.2.1 Setting the IP Interface 


Setting the IP interface determines the source IP address of a packet emitted by the router on a tunnel 
interface. 


4.6.2.1.1. Unnumbered Interface 
To configure tunnel interface as unnumbered and permit IP routing on this interface, use the following 


command in tunnel interface configuration mode: 


CLI (config-if)> ip unnumbered <type> <unit> 


type (here 'tunnel') and unit describe the IP interface. 


To unset tunnel interface as unnumbered, use the following command in tunnel interface configuration 
mode: 


CLI (config-if)> no ip unnumbered 
4.6.2.1.2 IP Interface Address 


To configure the IP address of a tunnel, use the next commana: 


CLI (config-if)> ip address <ip> <mask> 
4.6.2.2 Setting tunnel source/destination 
To configure tunnel source and/or destination address, use the following command in tunnel interface 


configuration mode: 


CLI (config-if)> tunnel source { <A.B.C.D> | <type> <unit> } 
CLI (config-if)> tunnel destination { <A.B.C.D> | <Hostname> | passive } 


When using the passive keyword, it is assumed that the router is a kind of ‘GRE server’ and it does not 
know the IP address of the GRE peer in advance. The peer IP address will be learnt when the remote peer 
will connect the GRE tunnel for the first time. This feature is useful when a central site router has a static 
IP address whereas branch-office (GRE client) routers have dynamic IP addresses, i.e. IP addresses that 
are not known a-priori. 


To remove the tunnel source and/or destination address from the configuration, use the no form of the 
above command. 


CLI (config-if)> no tunnel source 


CLI (config-if)> no tunnel destination 
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4.6.2.3 Setting tunnel encapsulation mode 


To configure tunnel encapsulation mode for all routed packets, use the following command in tunnel 
interface configuration mode: 


CLI (config-if)> tunnel mode { ipip | gre | mobileip } 


To come back to default GRE configuration mode, use the no form of the above command. 


CLI (config-if)> no tunnel mode 
4.6.2.4 Setting RFC1701 options 


When enabling GRE, the default behavior is to follow the RFC 2784 standard. This RFC is actually a 
simplified version of RFC 1701, where some options have been chosen as no more configurable. In this 
paragraph, the following commands enable some features specific to RFC 1701. 


To enable the checksum on a GRE interface, use the following command in interface configuration mode: 


CLI (config-if)> tunnel checksum 





CLI (config-if)> no tunnel checksum 
When configured incoming packets must have a checksum inside the header. Otherwise, packets are 
dropped. 


To configure a key identifier on a GRE interface, use the following command in interface configuration 
mode: 


CLI (config-if)> tunnel key <0-4294967295> 





CLI (config-if)> no tunnel key 
When the tunnel key is configured, incoming packets that have not a key identifier, or that have a wrong 
key identifier are systematically dropped. 


To allow datagram sequencing on a GRE interface, use the following command in interface configuration 
mode: 


CLI (config-if)> tunnel sequence-datagrams 





CLI (config-if)> no tunnel sequence-datagrams 


Outgoing GRE packets have their sequencing counter incremented. A received packet is not dropped as 
long as it falls within the reception window (128 packets). The reception window is set between the highest 
sequence number of all currently received packets, noted 'Sh', and (Sh - 128). If a packet is received with 
a sequence number greater than 'Sh', then 'Sh' is set to this new value. The router checks that packets 
have sequence numbers that conforms to the reception window but the router does not reorder packets. 


4.6.2.5 Setting Path MTU Discovery 


To configure path MTU discovery, use the following command in tunnel interface configuration mode: 


CLI (config-if)> tunnel path-mtu-discovery 


To remove path MTU discovery (PMTUD), use: 


CLI (config-if)> no tunnel path-mtu-discovery 


When the PMTUD is activated, the router sends every tunnel packets with the DF bit set as '1', so that 
packets exceeding the MTU of routers along the tunnel path are dropped. The router dropping a packet 
must issue an ICMP error message indicating the MTU. When PMTUD is activated, the originating router 
intercepts the ICMP error message and resets its tunnel MTU so that it corresponds to the lowest MTU 
along the tunnel path. 


Additional parameters for Path MTU Discovery: 


e The path MTU will decrease as paths with lower MTU paths are discovered. However, the path MTU 
should be increased if such low MTU path disappear, hence an aging timer to increase path MTU 
again (default: 10 minutes, infinite disables the aging timer). 
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CLI (config-if)> tunnel path-mtu-discovery {age-timer <minutes 10-30> | 
infinite} 
e To prevent path MTU to be excessively lowered, a minimum MTU can be set (default: 92 bytes). 


CLI (config-if)> tunnel path-mtu-discovery min-mtu <bytes 92-65535> 
4.6.2.6 Setting Keepalive 


The keepalive is a feature that monitors a GRE tunnel. Some keepalive packets are sent periodically and 
must be looped back by the remote-end. The successful reception of looped keepalive is considered as 
the criterion to keep the GRE tunnel interface as up. 


By default, the keepalive feature is deactivated and the tunnel is always up if its configuration is complete 
and a route to the tunnel destination is known. If keepalive is enabled, the tunnel is down as long as no 
answer from the remote is received (i.e. the remote has not looped received keepalive packets). Keepalive 
packets are sent periodically (default: 10 seconds). When the tunnel is up, the tunnel interface can go 
down after a configurable number of successively unsuccessful keepalive packets (default number of 
retries: 3). To activate keepalive, type the following command under tunnel interface configuration mode: 


CLI (config-if)> keepalive [ <period-in-seconds> [ <number-of-retries> ] ] 


To disable keepalive: 


CLI (config-if)> no keepalive 


4.6.3 Configuration Examples 


This simple example shows how to configure a GRE tunnel. This example can be used for all platforms. 











Router A 
ATM 0.1: 50.0.0.3 






Router B 
ATM 0.1: 50.0.0.4 
















Untrusted 
network 
































10.1.2.0/24 10.1.3.0/24 










Src: 50.0.0.3 
Dst: 50.0.0.4 


Sre: 50.0.0.4 


10.1.3.0/24 Dst: 50.0.0.3 


10.1.2.0/24 


In this example, two devices connect to each other via a wan interface. To connect the two sub-networks 
without modifying IP headers, a tunnel interface is created. 


IP address 10.1.3.1 on router A permits to connect 10.1.3.0/24 route to tunnel interface. IP address 
10.1.2.1 on router B permits to connect 10.1.2.0/24 route to tunnel interface. Note that assigned IP 
addresses on tunnel interfaces are only used for routing. 


The configuration script is as follows for router A: 


interface FastEthernet 0/0 

ip address 10.1.2.1 255.255.255.0 
exit 

interface Tunnel 1 

ip unnumbered fastethernet 0/0 
tunnel source atm 0.1 

tunnel destination 50.0.0.4 

exit 

interface Atm 0 
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gshds1l 
execute 
exit 
exit 


interface Atm 0.1 

pvc ipoa vpi 0 vci 32 

ip address 50.0.0.3 255.255.255.0 
execute 

exit 

exit 


The configuration script is as follows for router B: 


interface FastEthernet 0/0 
ip address 10.1.3.1 255.255.255.0 
exit 


interface Tunnel 1 

ip unnumbered fastethernet 0/0 
tunnel source atm 0.1 

tunnel destination 50.0.0.3 
exit 

interface Atm 0 

gshds1l 

execute 

exit 

exit 

interface Atm 0.1 

pve ipoa vpi 0 vci 32 

ip address 50.0.0.4 255.255.255.0 
execute 


exit 


exit 


4.6.4 Debug and Trace 


To enable IP tunneling debugging, use the following command: 


CLI> debug ip tunnel 


To disable IP tunneling debugging, use the ‘no’ form of the above command. 
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4.7 


4.7.1 


IP SECURITY 


Introduction 


IP security (IPsec) is a suite of IP protocols that permit IP flows to be encrypted and/or authenticated. For 
example, if you want to transport information securely from one sub-network A to one other sub-network B 
by using a untrusted network (for example, the Internet), IPsec provides some guarantees about several 
security levels for delivering packets from A to B and vice-versa. Below is represented an example of an 
IPsec application: 
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IPsec Tunnel: Encrypted and/or Authenticated 
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The packets exchanged between sub-networks A and B are transported in an IPsec tunnel. IPsec is 
actually broken down in two flavors: the tunnel mode and the transport mode. 


e The transport mode is usually applied when the IPsec session is terminated directly in the hosts. 
Indeed, the IP header is not modified, only the payload changes. 


e When using the tunnel mode, a new IP header is added and corresponds to the source and 
destination addresses of the IPsec gateways as shown on the figure above. When no authentication 
and encryption is applied, an IPsec tunnel is quite similar to a GRE tunnel. 


The diagram below illustrates both modes when using an Authentication Header (AH). 


Transport Mode: IP Header is kept 
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Tunnel Mode: new IP Header 
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IP security protocols are based on cryptographic algorithms. The keying material between two hosts 
provides several properties: 


e Integrity of the packet: if modified, the packet is recognized as such and is then dropped. For example, 
a malicious user cannot change the source IP address of the packet so as to speak on behalf of the 
real emitter. 


e Authenticity: it is guaranteed that the packet comes from the host X, because the packet has not been 
altered and the encryption could only be performed by means of a secret keying material. 


e Confidentiality: the packet can be fully encrypted; therefore it cannot be read by any third party that 
has no prior knowledge of the keying material. 


e Security: prevents security against certain attacks such as unauthorized insertion of frames. 


There are two types of IPsec encapsulations: 


e The Authentication Header (AH) provides authenticity using one of the two following hashing 
algorithms: HMAC-SHA1, HMAC-MD5. 


e The Encapsulation Security Payload (ESP) provides encryption and optional authentication using the 
following protocols algorithm: for encryption NULL (no encryption) or DES (64 bits) or 3DES (92 bits) 
or AES (128, 192 or 256 bits) and for authentication HMAC-SHA1 (80 bits) or HMUAC-MD5 (64 bits) or 
no authentication. 


An ESP packet has the following structure: 


Tunnel Mode: new IP Header, full IP packet encryption 









































IP Header Payload 
ESP ESP 
new IP Header | ESP Header) IP Header Payload trailer auth. 
« Encrypted ig 
« Authenticated r 


Optional compression is provided when using authentication and/or encryption. The compression is 
applied on outbound packets (IP header + payload), and then it is authenticated and/or encrypted. The 
resulting compressed data require less CPU for encryption. Furthermore, it limits the overhead due to the 
encapsulation (20 bytes for IPV4 packet) plus IPsec overhead (12 bytes for AH, variable-size for ESP 
packet with padding). 


The encapsulation type of an IP packet in one of the IPsec modes is called a "transform set". 


To enable peer IPsec Gateways to understand each other, both instances of the IPsec protocol contain a 
Security Protocol Index (SPI), that is added to the protocol type (AH or ESP) and the IP destination. 
SPI and source address uniquely identify a Security Association (SA). 


As a tunnel is bi-directional, two SAs are required, one for each direction. 


IPsec not only defines how the traffic is secured, but also which traffic should be encrypted. It is managed 
by the Security Policy Database (SPD): it is a table made up of several entries. The SPD is a table whose 
entries provide a set of selectors and associated actions. A selector is a filtering criterion that determines 
the action to apply on a packet. (It can be forwarded, dropped, or processed with specified IPsec SA 
parameters). For example, all inbound traffic passes through a crypto map. If packet is not encrypted and if 
it matches a SPD entry, then the packet is dropped. If the packet is not encrypted and does not match an 
SPD entry, it is forwarded. 


IPsec protocols are highly robust but this robustness is as good as the secrecy of the keying material. 
Obviously, a poor management of the keying material weakens many robust cryptographic techniques. 
Among solutions to increase robustness of the security associations: 
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e Decrease the lifetime of a security association to renew the keys quite often. Since the keys are 
refreshed, the hacker has to compute and break keys much more often. Therefore, it makes it harder 
for a pirate to make eavesdropping. For example, 1200 seconds is reasonable for a simple DES 
transform. 


e Using a strong keying material. Indeed, some key generators are weak and keys are thus easier to 
break. 


e Using advanced transforms. For example, 3DES is stronger than DES, because key length is three 
times longer than the DES transform. AES is also stronger than 3DES; this is due to the encryption 
method. 


e Using proprietary transforms. Unlike DES family or AES, some transforms are not known from the 
public. Hence it is harder to break keys without prior knowledge of the technique used. 


Internet Security Association and Key Management Protocol (ISAKMP) 


As the renewal of keys must be synchronized at both end points of the IPsec tunnel, a framework called 
ISAKMP (Internet Security Association and Key Management Protocol) is implemented. ISAKMP provides 
the following services: 


e Internet Key Exchange (IKE): IKE permits to negotiate dynamically IPsec SA between two IPsec 
peers. Before negotiating the SA, a secure data channel must be established between the peers. 
Once this secure channel is established, the peers can negotiate faster and more efficiently the setup 
of IPsec SA, as the exchanged information is already secured. Therefore, this channel is a 
management channel. The channel is called an ISAKMP Security Association (SA) (-which can be 
rather confusing-); however, this special SA should not be mixed up with the conventional IPsec SA. 


This part is also referred to as IKE phase 1. During this phase, the authentication data permits the 
validation and completion of the IKE SA establishment. The keys for IKE SA authentication are 
actually retrieved through an external mechanism, independent of the IKE protocol (see further "Pre- 
shared keys and Digital certificates"). 


During phase 1, the IKE peers exchange: 
e ISAKMP SA parameter offer 
e Keying material 
e Identification and authentication data 


e Negotiation of security attributes: ISAKMP sends to the remote peer which traffic should be 
selected, and how it should be encrypted. 


e IPsec SA Negotiation: This part is also called IKE phase 2. As an IKE SA was created in phase 1, a 
secure communication path exists between the two IPsec peers. This second phase enables the 
creation of IPsec SA, which creates a secure communication tunnel for user traffic. 


IKE will create the SA by exchanging the SA parameters stored in the Security Policy Database (SPD) 
and generate the keys. The keys are automatically generated by IKE for each SA using Oakley key 
determination protocol (RFC 2412). Here, the user can select the aggressive mode (1.5 round trips 
taking less time to establish) or the main mode (3 round trips more robust towards attacks). 


As the encryption keys are relatively short (56 bits for DES), it takes not too long for a computer to 
"crack" a key. Therefore, the keys need to be refreshed quite often. The Oakley quick mode is used 
for key refresh and the refresh timer can be adjusted (short key refreshed quite often — less 
computation — or longer/more robust key refreshed after longer intervals). 


Once the IPsec SA is created, it is registered in the Security Association Database. The IPsec SA 
exits as long as there is user traffic for that SA. If no user traffic transits through that SA during a 
configured inactivity period, it is destroyed. 


Pre-shared keys and Digital certificates 


Pre-shared keys are the simplest way to authenticate during IKE phase 1. In this method both the initiator 
and responder must have the same pre-shared keys. The keys are agreed upon in advance using an out- 
of-band technique. One disadvantage of this method is that the distribution of the secret to the peers must 
occur in a secured way or is based on trust. Another disadvantage is that in IKE main mode, because the 
ID payloads are encrypted, the responder is not aware of the identity of the initiator. In remote access 
scenarios such as telecommuting, the source IP address of the initiator is not known in advance to the 
responder. In such cases, aggressive mode is the only choice with pre-shared key authentication. 
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As of V4.2R5E6 software release, digital certificates are supported as an alternative method to 
authenticate peers. Each peer has a private key and corresponding public key. The private key is used for 
encryption purposes of the information to send. The public key is put in a certificate along with the peer’s 
ID. The certificate is signed (digital signature) by a Certificate Authority (CA). Each peer sends during the 
IKE phase 1 its certificate to the other peer. On reception of the certificate each peer first authenticates the 
certificate by re-calculating its digital signature using the CA public key which is in the root certificate. If a 
digital signature match is found, the router can trust its peer, based on its trust in the Certificate Authority. 
Next the hash values exchanged during the IKE phase 1 are signed by the private keys of each peer. The 
recipients of the signature will use the signer’s public key to decrypt and verify the message. 


The set-up of an IP VPN network with digital certificates is based on a public key infrastructure. Each 
router needs a private and public key pair and a corresponding digital certificate. The digital certificate 
(self-certificate) is stored on the router, typically on the file system. To generate the certificate, the contents 
are prepared and sent to the CA in a pre-defined format. The most widely used format for digital 
certificates is X.509, which is supported by OneOS. The CA signs it (= add a digital signature of the 
certificate contents using the CA private key) and returns the signed certificate to the requester, who then 
stores it on the router. The Certificate Authority can be a company specialized in delivering this service 
(e.g. VeriSign). Alternatively, the organization that owns the routers can set-up its own Certificate 
Authority. The latter is worth considering if it concerns a large network with many routers and according 
certificates. 


Each OneOS-based router may have a single certificate for IPsec VPN. In addition the router must also 
store the CA root certificate for authenticating the peer’s certificate. Note that each certificate has also a 
validity period, which is checked. The validity period of a certificate is typically 20 years. 


IKE keepalive and Dead peer Detection 


IP reachable IPsec peers is required for an IPsec session to be established between them. IPsec and IKE 
have by default no way to identify the loss of peer connectivity. Therefore OneOS provides the 
configuration of an IKE periodic keepalive mechanism. The keepalive interval and maximum number of 
retries is configurable. 


Dead Peer Detection (DPD — RFC3706) is an alternative mechanism that is more scalable than IKE 
keepalive in detecting dead IPsec peers. DPD does not send any messages between the peers whenever 
there is IPsec traffic running. If an IPsec peer needs to send itself traffic and it did not receive any traffic 
from its peer for a certain time, it sends a DPD exchange to check connectivity. This mechanism saves 
more resources on the router than the keepalive mechanism. 


IPsec encapsulated GRE and L2TP tunnels 
Designing a VPN using IPsec for connectivity between peers has some inherent limitations. These are: 


e IPsec can encrypt/decrypt only IP traffic. 


IP traffic destined to a multicast or broadcast IP address cannot be handled by IPsec, which means 
they cannot traverse the IPsec tunnel. Broadcast and multicast packets are typically used by routing 
protocols. 


IPsec encapsulated GRE or L2TP tunnels (respectively RFC 3193) provide a solution. Like native IPsec, 
they can be set-up in transport and tunnel mode. Unlike native IPsec tunnels, IPsec encapsulated GRE 
and L2TP tunnels are almost always used in IPsec transport mode as GRE or L2TP provide already a new 
IP header on the payload. This is the supported mode in OneOS. The drawings below show respectively a 
packet for GRE over IPsec and L2TP over IPsec. 


NAT Traversal (RFC3947) 


Because of the integrity check performed by IPsec, IPsec packets must be modified by no means. If a 
Network Address Translator (NAT) is found along the IPsec packet path, the packets are no more valid. To 
allow IPsec packets to go through NAT, the NAT-Traversal (NAT-T) feature is needed. NAT-T is by default 
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active. NAT-T consists of two functions: 


e NAT discovery: during the IKE peering session establishment, the endpoints try to determine whether 
their remote peer support NAT-T. The NAT will be detected by comparing hashes of the sent NAT 
discovery payloads. If NAT is detected, NAT-Traversal must be enabled 


e NAT-transparent encapsulation: once the NAT is discovered and that the peers agreed to use NAT-T, 
the IPsec packets are not directly encapsulated in an IP tunnel packet but rather within an UDP 
packet. Such encapsulation enables to pass several tunnels using a single public IP address. 


IPsec Processing Path 
IPsec is applied (if enabled) at the following stages of the IP processing path: 


e Outbound: after NAT processing, i.e. the source IP address of tunneled packets is the IP address of 
the output interface 


e —_ Inbound: before NAT 


As a result: if you enabled NAT overload on an interface where a crypto map is enabled, IPsec may 
not function properly. The reason is: when a packet is routed to the interface, it is first NAT-ted. Then the 
packet passes through the IPsec policy. Because the packet was NAT-ted, it may not match the IPsec 
policy any more. Two solutions are possible: the first solution is to configure NAT overload for packets not 
matching the IPsec policy (selective NAT overload: packets are filtered though an ACL. If they matched, 
then packets are NAT-ted). The second solution is to detach the crypto map from the interface and to 
configure a tunnel interface. The second solution requires that the IPsec peer supports NAT-Traversal. 


IP QoS and IPsec 


To allow appropriate output QoS processing, the payload packet TOS byte is copied in the tunnel header. 
This copy enables the TOS marking at the input of the router and the output traffic can be classified based 
on the TOS/DSCP/precedence fields. 


4.7.2 Configuration 
4.7.2.1. Configuration Steps 


The configuration steps are the following: 


1) Define an IPsec transform set(s): transform sets are templates where you define a type of packet 
processing for encryption and authentication. The transform set is applied later on one or more interfaces. 


2) Choose how the IPsec SA (Crypto Maps) are managed: 
e Manual configuration. 
e ISAKMP. If you have selected ISAKMP, you must also configure IKE. 


3) ISAKMP SAs are established dynamically when a packet must be sent by one of the tunnel peers. That 
peer is the initiator of the ISAKMP communication. However, there are some cases where the remote peer 
does not have a predefined IP address (for example, nomad users). The concept of dynamic crypto maps 
solves this issue: a server responds to ISAKMP clients. Only the target IP address of received packets is 
checked. 


4.7.2.2. IPsec Transforms 


An |Psec Transform defines how an IP packet should be secured; it defines the IPsec encapsulation used: 
AH and ESP. It contains information on the algorithm(s) used within the transform. 


To create an IPsec transform and to enter in the IPsec transform configuration mode, use the following 
command line: 


CLI (configure)> crypto ipsec transform-set <name> 
CLI (crypto-trans) > 





To remove an |Psec transform, use the no form of the above command: 
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CLI (configure)> no crypto ipsec transform-set <name> 


The AH encapsulation supports SHA1 and MD5 algorithms. 





CLI(crypto-trans)> { ah-sha-hmac | ah-md5-hmac } [comp-deflate] 


comp-deflate activates the IP compression using the "deflate" algorithm. 


ESP protocol supports the NULL, DES, 3DES and AES algorithms for encryption. SHA1 and MD5 
authentication algorithms are optional. 


CLI(crypto-trans)> { esp-3des | esp-des | esp-aes | esp-aes-192 
| esp-aes-—256 } [ esp-sha-hmac | esp-md5-hmac ] [comp-deflate] 

NULL encryption is supported but authentication is then compulsory. 

CLI (crypto-trans)> esp-null { esp-sha-hmac | esp-md5-hmac } [comp-— 

deflate] 

Note: If you use ESP, it is strongly advised to use AES with a 256-bit key, as long keys have almost no 
impact on performance and guarantees a higher level of security. 
To change the mode associated with the transform set, enter the following command line: 


CLI (crypto-trans)> mode { transport | tunnel } 


e transport: Transport mode adds an IPsec header to the packet. 


e tunnel: (default) Tunnel mode adds a new IP header and an IPsec header to the packet. 
4.7.2.3 Crypto Map 


A crypto map is a set of IPsec properties applied to an interface. It corresponds to the Security Policy 
Database configuration. A crypto map has several entries, each one standing for a security policy entry 
and associates the IP traffic to secure, the transform used and the remote tunnel end-point. 


There are two types of crypto maps entries: manual and ISAKMP. Manual crypto map entries require to 
implicitly configuring the keying material, while ISAKMP crypto map entries need less information, provided 
that IKE is configured (see 4.7.2.4). 


4.7.2.3.1 Manual Crypto Map Eniries 


To configure a manual crypto map entry and enter in crypto map configuration mode, use the following 
command line: 





CLI (configure)> crypto map ipsec-manual <name> <sequence_number> 
CLI (crypto-manual) > 





The sequence_number indicates the order/priority in which a packet is matched with selectors. 
To remove a manual crypto map entry, use the following command: 


CLI (configure)> no crypto map <name> 


To define the selector (IP filter that needs to be processed using IPsec), attach an access-list to it. Use the 
following command line: 


CLI (crypto-manual)> match address <acl_name> 


To remove the access-list and make all packets being authenticated/encrypted, use the no command line: 





CLI (crypto-manual)> no match address 


To configure the remote tunnel end-point, use the following command line: 


CLI (crypto-manual)> set peer { <A.B.C.D> | <hostname> } 


A.B.C.D or hostname designates the address of the remote IPsec endpoint. To remove tunnel endpoint 
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and deactivate crypto map entry, use the following command line: 


CLI (crypto-manual)> no set peer { <A.B.C.D> | <hostname> } 


Only one transform set can be applied per manual crypto map entry. To apply the selected IPsec transform 
to the crypto map entry, use the following command line: 


CLI (crypto-manual)> set transform-set <name> 


To detach the IPsec transform from the crypto map entry, use the no form of the above command: 


CLI (crypto-manual)> no set transform-set 


Configuring keying material manually is permitted on manual entries. Primary, it is compulsory to set two 
security parameter indexes (SPI), one for each direction. Secondly, keying material must be provided 
according to the chosen transforms. 


AH transform: HMAC-SHA1 requires a 20-byte key length, whereas HMAC-MD5 requires a key length of 
only 16-bytes. 


To configure AH keying material, use the following command lines: 


CLI (crypto-manual)> set security-association inbound ah <spi> 
{ <HEX-KEY-STRING-20B> | <HEX-KEY-STRING-16B> } 














CLI (crypto-manual)> set security-—association outbound ah <spi> 
{ <HEX-KEY-STRING-20B> | <HEX-KEY-STRING-16B> } 
































ESP transform: DES requires an 8-byte key length, AES_128 requires a 16-byte key length, 3DES and 
AES_192 require a 24-byte key length and AES_256 requires a 32-byte key length. 


To configure ESP keying material, especially encryption keys, use the following command lines: 


CLI (crypto-manual)> set security-association inbound esp <spi> 
{<HEX-KEY-STRING-8B> | <HEX-KEY-STRING-16B> | <HEX-KEY-STRING-24B> | 
<HEX-KEY-STRING-32B>} [<HEX-KEY-STRING-20B> | <HEX-KEY-STRING-16B>] 


















































CLI (crypto-manual)> set security-association outbound esp <spi> 
{<HEX-KEY-STRING-8B> | <HEX-KEY-STRING-16B> | <HEX-KEY-STRING-24B> | 
<HEX-KEY-STRING-32B>} [<HEX-KEY-STRING-20B> | <HEX-KEY-STRING-16B>] 







































































The first argument is the key for encryption and the second one for authentication. When the encryption is 
NULL, the authentication key must be provided. 


If IPsec transform requires compression, two compression parameter indexes must be configured, thanks 
to the following command line: 


CLI (crypto-manual)> set security-association outbound ipcomp <cpi> 
CLI (crypto-manual)> set security-association inbound ipcomp <cpi> 
You must provide the compression ID (cpi) with the same values at both ends of the IPsec tunnel (cpi 


range: 0...65535). 


Use the following command line to remove all inbound keying material: 


CLI (crypto-manual)> no set security-association inbound 


Use the following command line to remove all outbound keying material: 


CLI (crypto-manual)> no set security-association outbound 
4.7.2.3.2 | Standard ISAKMP Crypto Map Entries 


Before you start: 


Standard IPsec ISAKMP crypto maps must be used in the following cases: 
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e IPsec clients using IKE, the remote peer is a server (using dynamic ISAKMP crypto maps) 


e Symmetric mode: when the concept of client/server is not used, both IPsec peers must use such 
standard ISAKMP crypto maps 


Configuration: 


To configure an ISAKMP crypto map entry, and enter in crypto map configuration sub-level, use the 
following command line: 





CLI (configure)> crypto map ipsec-isakmp <name> <sequence-number> 
The sequence-number indicates the order/priority in which a packet is matched with selectors. To 
remove an ISAKMP crypto map entry, use the following command: 


CLI (configure)> no crypto map <name> 


Within a crypto map entry, to select IP traffic, use the following command line to attach an access-list to it: 


Only permit rules with true network or host addresses must be used within the access-list that 
must not contain a rule such as permit ip 0.0.0.0 255.255.255.255 .... 


CLI (crypto-isakmp) > match address <acl-name> 
To modify IP selectors for next SA negotiation, or to prevent a future SA negotiation, you can detach 
access-list from the crypto map entry. 


CLI (crypto-isakmp)> no match address 


To configure the tunnel end-point, use the following command line: 


CLI (crypto-isakmp)> set peer { <A.B.C.D> | <hostname> } 


To remove tunnel endpoint and deactivate crypto map entry, use the following command line: 


CLI (crypto-isakmp)> no set peer { <A.B.C.D> | <hostname> } 


Only one transform set can be applied per ISAKMP crypto map entry. To apply the selected IPsec 
transform to the crypto map entry, use the following command line: 


CLI (crypto-isakmp) > set transform-set <name> 


To detach the IPsec transform from the crypto map entry, use the no form of the above command: 


CLI (crypto-isakmp)> no set transform-set 


Other security parameters are negotiated with ISAKMP endpoint. The lifetime of the SA is a parameter and 
can be either expressed in kilobytes and/or in seconds. For example, an IPsec SA will need to be 
refreshed when the total quantity of secured packets reaches 100 megabytes. To configure the SA lifetime, 
use the following command line: 


CLI (crypto-isakmp)> set security-association lifetime seconds <1-131071> 


CLI (crypto-isakmp)> set security-association lifetime kilobytes 
<500-500000000> 


The default value for SA lifetime is configured to 3600 seconds and less than 100 MB. To reset the lifetime 
to default values, use the default command line: 
CLI (crypto-isakmp)> default set security-association lifetime { seconds 
| kilobytes } 


The lifetime in kilobytes and the lifetime in seconds can be configured at the same time. Both are taken 
into account (default behavior); the one that triggers first causes the SA pair to be renegotiated. Note that 
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IPsec service is not interrupted by renegotiation of SA. In addition to the hard limit configured, a soft limit is 
derived. This soft limit is reached when a high percentage of the hard limit (such as 90%) is reached and 
the SA-refresh then starts to take place. 


To disable a lifetime setting (seconds or kilobytes) to be taken into account for the lifetime of the SA, use 
the following command line: 


CLI (crypto-isakmp)> no set security-association lifetime { seconds 
| kilobytes } 


Perfect Forward Secrecy (PFS) is an optional service for exchanging keys. PFS allows the use of keys that 
are not derived from the initial IKE negotiation. Indeed, this initial negotiation makes it easier to hackers to 
extract the pre-shared secret. When renegotiating SA, if PFS is configured, keys are regenerated, and 
exchanged by means of PFS. To configure perfect forward secrecy on a crypto map entry, use the 
following command line: 


CLI (crypto-isakmp)> set pfs { groupl | group2 | group5 } 


To remove perfect forward secrecy, use the no form of the above command line: 


CLI (crypto-isakmp)> no set pfs 


It is possible to define when the ISAKMP negotiation shall start: 


e leased-line: The IPsec tunnel is automatically connected when the crypto map is configured on an 
interface. Use this when the IPsec SA connection is to be available regardless of user data. 


e dial (default setting): Specifies the manual setting to direct the crypto map to wait for user data 
before attempting to establish the IPsec connection. 


e incoming: The crypto map will wait for an incoming request to establish an IPsec connection. 
(passive mode) 


CLI (crypto-isakmp)> set type { incoming | leased-line | dial } 


To return to the (default) dial type, use the no form of the above command line: 


CLI (crypto-isakmp)> no set type 


To apply an ISAKMP profile to the crypto map, use the following command line: 


CLI (crypto-isakmp)> set isakmp-profile <isakmp-profile-name> 


To remove the ISAKMP profile from the crypto map, use the no form of the above command line: 


CLI (crypto-isakmp)> no set isakmp-profile 
4.7.2.3.3. Dynamic ISAKMP Crypto Map Entries 


Before you start: 


Dynamic crypto maps must be used on the ISAKMP server (responder side). The clients (ISAKMP 
initiators) must use standard crypto maps entries. Because the server does not know the peer IP address, 
only the source address of outgoing packets (source policy) is checked. The dynamic crypto map 
configuration is achieved in two steps: 


1. Define the dynamic crypto map configuration template 

2. Declare a policy in the Security Policy Database 

The differences between the standard and the server modes are: 

e The peer IP addresses are not known in advance, therefore the peer IP address is not configured 


e Because the peer IP address is not known, the permit rules of the access list can not filter any 
destination network. The permit rules must have the following form: permit ip <local- 
network> any. 
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Configuration: 
Use the next command to enter in the dynamic crypto map configuration template mode: 


CLI (configure)> [no] crypto dynamic <template-name> 
CLI (crypto-template) > 





Under this mode, you can enter the same parameters as in a standard ISAKMP crypto map (see 
4.7.2.3.2). However, the command set peer is not available. 


Then exit from this mode and return to the global configuration terminal (CLI (configure) >) and create 
the crypto map in the policy database: 





CLI (configure)> [no] crypto map dynamic <name> <sequence-number> 
<template-name> 


Where name is the name of the policy, later used in the configuration to apply it to an interface and 
sequence-number is the index of the crypto map in the policy database. 


4.7.2.3.4 Easy VPN (EZVPN) Crypto Maps 


EZVPN simplifies the design of an IPsec network, the central IPsec concentrator learns automatically the 
private IP networks when establishing the tunnels, which simplifies configuration of IP routing in IPsec 
concentrator. The private IP networks are reached by the remote IPsec via the tunnel. These private 
networks are defined as inside interfaces. Authentication with Xauth also helps in simplifying 
management as the authentication passwords for IKE establishment are held in a central RADIUS 
database. OneOS supports EZVPN in client mode. 


The crypto ipsec client ezvpn outside command assigns an easy VPN configuration to an 
outside interface, enabling the creation of an EZVPN IPsec connection over that interface to the specified 
VPN peer. This also automatically configures an associated access list and transform-set. 


An easy VPN group has several entries, each one standing for a security policy entry. This entry 
associates the IP traffic to be secured and the remote tunnel end-point. A crypto IPsec client EZVPN 
always uses ISAKMP. One SA connection (i.e. a separate tunnel) is established for each inside interface. 
Please keep in mind the following principles: 


e All inside interfaces, whether they belong to a tunnel, are listed in interface configuration mode as an 
inside interface, along with the tunnel name. 


e The EZVPN supports only one crypto ipsec client ezvpn outside instance, so the crypto 
ipsec client ezvpn command can be assigned to only one interface. If you attempt to assign it to 
more than one interface, an error message is displayed. You must use the no form of this command 
to remove the configuration from the first interface before assigning it to the second interface. 


e There is no default inside interface. 
e Remember that only ISAKMP policy group 2 is supported on EZVPN servers. 


e IKE aggressive mode is used for the exchange of parameters. 
4.7.2.3.4.1_| EZVPN Group Configuration 
To configure a crypto IPsec client EZVPN entry, and enter in crypto IPsec client EZVPN configuration sub- 


level, use the following command line: 


CLI (configure)> crypto ipsec client ezvpn <name> 


name identifies the easy VPN configuration with a unique and arbitrary name. 


By defining which inside interfaces belong to the EZVPN group (see further), all traffic from the subnets on 
these interfaces that are routed to the outside interface, are automatically put in the IPsec tunnel. To send 
other outgoing IP traffic on this interface also through the tunnel, you can attach an access-list to it. The 
access list must not contain a rule such aS permit ip any any, the permit rules must always have the 
following form: 


permit ip <local-network> <destination-network> 


Use the following command line to attach the ACL: 
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CLI (crypto_ezvpn)> match address <acl_name> 


To detach an access-list from the crypto IPsec client EZVPN entry: 


CLI (crypto_ezvpn)> no match address 


To configure the tunnel end-point, use the following command line: 





CLI (crypto_ezvpn)> peer { <A.B.C.D> | <hostname> } 
i remove tunnel endpoint and deactivate crypto IPsec client EZVPN entry, use the following command 
ine: 
CLI (crypto_ezvpn)> no peer 
The IPsec can be established automatically, when easy VPN is configured on the interface, or on-demand. 


On-demand is the default behavior, i.e. when an IP packet is routed to the interface and that packet 
matches the IPsec policy. Use the next command to set the desired behavior: 


CLI (crypto_ezvpn)> connect { auto | manual } 
EZVPN requires a group name and pre-shared key to be exchanged. With the group name the server side 


can distinguish between different EZVPN groups. Note that this group name may be different from the 
name entered when creating the EZVPN client entry. To configure the group name and the key: 


CLI (crypto_ezvpn)> [no] group <group-name> key <group-key> 
Within an EZVPN group, the IPsec clients must be individually authenticated by Xauth. A username and 
password must be provided: 

CLI (crypto_ezvpn)> [no] username <user-name> password <user-—password> 
Because the client device does not have a user interface option to enable or disable PFS negotiation, the 


server will notify the client device of the central site policy during ike-mode-cfg. The Diffie-Hellman (D- 
H) group that is proposed for PFS will be the same as negotiated in Phase 1 of the IKE negotiation. 


To complete the EZVPN group configuration, enter the exit command: 

CLI (crypto_ezvpn)> exit 
Note: you cannot use the no crypto ipsec client ezvpn command to delete a crypto IPsec client 
EZVPN that is assigned to an interface. 
You must remove that crypto IPsec client EZVPN configuration from the interface before you can delete 
the configuration. 


4.7.2.3.4.2 Applying EZVPN Group on Interfaces 


Reminder: 


e The outside interface is the interface from which the tunnel is established (only one outside interface is 
allowed/supported) 


e An inside interface connects to an IP network that is reached via the tunnel and advertized to the peer 
by EZVPN IKE extensions. Multiple inside interfaces are supported. 


To assign an easy VPN configuration to an interface, specify whether the interface is outside or inside, and 
configure one outside and one or more inside interfaces. Use the crypto ipsec client ezvpn 
command in interface configuration mode. To remove the easy VPN configuration from the interface, use 
the no form of this command. 


CLI (config-if)> crypto ipsec client ezvpn <name> { outside | inside } 
CLI (config-if)> no crypto ipsec client ezvpn <name> 


Notes: 
e An "inside" reference is only allowed if the interface has a fixed IP address. 


e Aneasy VPN configuration should be created before assigning it to an interface. 
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4.7.2.3.5 | Applying a Crypto Map to an Interface 


Before you start: 
OneOS delivers two alternatives when applying a crypto map to an interface: 


e Physical Interface: the crypto map is directly applied on the output interface. In this mode, the 
packets which have been routed to this output interface are processed by IPsec (encryption, 
encapsulation in case of tunnel mode). In case of IPsec tunnel mode, the packets are routed again 
with the tunnel endpoint IP address. 


e Tunnel Interface: the crypto map is applied on the tunnel interface. Packets are first routed to a 
tunnel interface. Once encapsulated (GRE, IPIP...) and IPsec encrypted, the new packet is routed 
again through the router. 


Note: Up to OneOS version 4.2R3E7, when configuring a GRE over IPsec tunnel one has to apply the 
crypto map to the output (physical) interface. When applying it to the tunnel interface, no GRE 
encapsulation will be done. In the latter case, packets are processed by IPsec and forwarded to the output 
interface. As of OneOS version 4.2R3E8 the crypto map can be applied either on the physical or tunnel 
interface. 


Configuration: 

To apply the IPsec crypto map on an interface, use the following command line in the interface sub-level: 
CLI (config-if)> crypto map <name> 

If crypto map entries are properly configured, this command fills in security associations and associated 


selectors in the IPsec databases. Use the no form of the above-referenced command to remove entries of 
the databases. 


CLI (config-if)> no crypto map 
4.7.2.3.6 DF bit in tunnel mode 


IP fragmentation may be prevented due to the DF bit in the IP header. To modify the DF bit in the 
encapsulating IP header for a specific interface, use the following command line in interface mode: 


CLI (config-if)> crypto ipsec df-bit [ clear | set | copy ] 


clear: the DF bit of the outer IP header is cleared. 
set: the DF bit of the outer IP header is set. 
copy: (default) the DF bit is taken from the inner IP header and copied into the outer IP header. 


Note: this command is not applicable for IPsec tunnels in transport mode. 
4.7.2.4 ISAKMP Configuration 
4.7.2.4.1_ | Crypto ISAKMP Configuration 


ISAKMP packets are sent using UDP on port 500. To permit transmission of ISAKMP packets from the 
OneOS-based router, use the following command in configuration mode: 


CLI (configure)> crypto isakmp enable 


Use the no form of the command to disable ISAKMP exchange: 


CLI (configure)> no crypto isakmp enable 


ISAKMP entities identify themselves using either the outgoing IP address or the hostname. Use the 
following command to define the identity (address is the default value). 


CLI (configure)> crypto isakmp identity { address | hostname } 


Use the no form of the command to apply the default value: 
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CLI (configure)> no crypto isakmp identity 


ISAKMP peers share a secret to authenticate each other. This secret is used to encrypt ISAKMP traffic. 
Secret is locally stored and associated to a peer. You can enter a secret for a given address or hostname 
by using the following command line: 


CLI (configure) > crypto isakmp key <key> { address <A.B.C.D> [<mask>] 
| hostname <host> } 
In case of dynamic server, wild cards can be used (such as 0.0.0.0 0.0.0.0) because the peer IP 
addresses are not known in advance. 
You can remove the key by using the no form of the command line: 


CLI (configure)> no crypto isakmp key <key> { address <A.B.C.D> [<mask>] 
| hostname <host> } 


Prior establishing IKE phase 1, both peers agree on the policy used for communicating. They select the 
policy by sending a list of proposals that contains a list of ISAKMP policies ordered in preference order. 


To enter in ISAKMP policy configuration mode, use the following command line: 
CLI (configure) > crypto isakmp policy <identifier> 
CLI (config-isakmp) > 
identifier indicates the preference order. 1 stands for the highest priority, while 10000 stands for the 
lowest priority. A policy is made up of encryption and hash algorithm. 
To configure the encryption used in an ISAKMP policy, use the following command line: 


CLI (config-isakmp)> encryption { des-cbc | 3des-cbc | aes } 


Default encryption algorithm is des—cbc and is activated by using the following default command line: 


CLI (config-isakmp) > default encryption 


To configure the hashing algorithm, use the following command line: 


CLI (config-isakmp)> hash { md5 | shal } 





CLI (config-isakmp) > default hash 


The authentication method tells how to authenticate with remote peer. Pre-shared key and RSA signatures 
are authorized. 


To configure pre-shared authentication, use the following command line: 


CLI (config-isakmp) > authentication pre-share 


To configure authentication by using RSA signatures, use the following command line: 


CLI (config-isakmp)> authentication rsa-sig 


To set the default authentication method (pre-share), use: 





CLI (config-isakmp) > default authentication 


The lifetime of ISAKMP SA is configurable by using the following command line: 
CLI (config-isakmp) > lifetime <1-131071> 


CLI (config-isakmp)> default lifetime 


Default value for lifetime is 86400 seconds. Volume limit is not configurable. 
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Key exchange requires the selection of a Diffie-Hellman group (DH). The bigger the DH group is, the more 
secured the exchange is. By default, group 1 is provided. Group 2 must be selected for EZVPN 
configurations. To configure DH group, use the following command line: 


CLI (config-isakmp)> group {1 | 2 ]| 5 } 





CLI (config-isakmp) > default group 


The above commands configure the proposed group list that is sent to the remote ISAKMP peer. The 
remote chooses the transform and replies. Once agreed on the transform, both peers forge their keys, and 
pass it to the remote peer using the chosen group. 


To finalize ISAKMP policy configuration: 


CLI (config-isakmp)> exit 
4.7.2.4.2 ISAKMP Keepalive 


ISAKMP keepalive stands for a facility that enables IPsec gateways to detect dead peers. It is compliant 
with RFC3706, which specifies that each device must reply to "DPD" queries from remote IKE peers. The 
implementation of dead IKE peer detection is not provided. It is explained hereafter: when sending 
keepalive packets, the ISAKMP peer must respond to the received message. If no answer is received, the 
ISAKMP peer seems to be dead. To make sure the peer is not alive, two additional keepalive messages 
are sent. If no answer is received for both messages, the ISAKMP peer is considered as dead. The 
ISAKMP connection is reset locally as well as its IPsec SAs. 


Two timers can be configured: 


e The trigger timer: it is the inactivity period during which no traffic has been detected coming from the 
ISAKMP peer or from the corresponding tunnel. If this timer expires, a kKeepalive message is sent to 
the remote peer to check if it is still alive. The default timer value is 30 seconds. 


e The retry timer: it is the timeout for receiving a keepalive response coming from the ISAKMP peer or 
from the corresponding tunnel. If no answer is received in the meantime, a new keepalive message is 
sent. Default: 10 seconds. If the connection with remote ISAKMP peers is lost, the problem is detected 
after two retries, typically within 30+10+2*10=60 seconds. 


ISAKMP keepalive is not enabled by default. To enable ISAKMP keepalive, use the following command 
line to configure keepalive: 


CLI (configure)> crypto isakmp keepalive <5-120> [<2-60>] [periodic] 


The first parameter is the trigger timer in seconds; the second one is the retry timer in seconds. 


periodic is a keyword meaning that keepalive packets are always sent, even if traffic was detected on 
the tunnel: in that case, the trigger timer is just the duration between two keepalive messages sent. 


To restore the default values and stop keepalive: 


CLI (configure)> no crypto isakmp keepalive 


Application cases for ISAKMP keepalive: 


e = Re-initialization of IKE: the shutdown command resets active sessions on the interface. The no 
shutdown command allows the re-initialization of IPsec connections if they were present initially. 
Usually, such reconnection request fails and a 3-minute timer is fetched. ISAKMP keepalive 
accelerates the reconnection time. 


e Ability to track the tunnel interface state: the tunnel is up if the ISAKMP connection is up. When the 
tunnel is down, the command show interfaces tunnel displays the remaining time until the next 
IPsec reestablishment retry. 


4.7.2.4.3. ISAKMP Aggressive Mode 


To configure an IKE peer for aggressive mode, use the following command line: 


CLI (configure)> crypto isakmp peer { address <ip> | hostname <host> } 


Enter the aggressive mode pre-shared key by entering the following command line: 
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CLI (config-isakmp-peer) > set aggressive-mode password <psk> 


Example: 
crypto isakmp peer address 172.31.124.229 
set aggressive-mode password presharedkey 
exit 
To remove the aggressive mode pre-shared key enter the following command line: 


CLI (config-isakmp-peer)> no set aggressive-—mode 
4.7.2.4.4 ISAKMP Profile 


An ISAKMP profile is an enhancement to the ISAKMP configuration. It is used to set parameters of an 
IPsec connection. These parameters consist of the identity of IKE phase 1 connections including IP 
address, fully qualified domain name (FQDN) and the user FQDN (email address). 


The match command allows verifying the peer's identity against a list of known and trusted peers. If the 
identity of a peer is hidden within a certificate, a certificate map can (see 3.26.4) provide even more 
information about the peer's identity. 


An ISAKMP profile shall be applied to an ISAKMP crypto map (see 4.7.2.3). 


To configure an ISAKMP profile and enter in ISAKMP profile configuration mode, use the following 
command line: 


CLI (configure)> crypto isakmp profile <name> 
CLI (crypto_profile) > 


To remove an ISAKMP profile, use the following command: 





CLI (configure)> no crypto isakmp profile <name> 


To define the identity that the local IKE will use to identify itself to the remote peer, use the following 
command. Note that if no ISAKMP profile is configured, IKE will use the global configured value (see 
crypto isakmp identity command). 


CLI (crypto_profile)> self-identity { address 
| hostname 
| user-fqdn <user-fqdn> } 
address (default value within ISAKMP profile) is the IP address of the egress interface. 
hostname is the host name of the OneOS-Based router. 
user-—fqdn is a 64-char long string (usually an email address). 
To make IKE use again the global configured value, use the following command line: 


CLI (crypto_profile)> default self-identity 


To define the identity that the local IKE has to check against the peer's identity, use the following 
command. Multiple match identity commands can be configured. The peer is mapped to the ISAKMP 
profile when its identities (as given in the ID payloads of the IKE) match the identities defined in the profile. 


CLI (crypto_profile)> match identity { address <address> 
| hostname <name> 
| user-fqdn <user-fqdn> } 
address is the value to check against the ID_IPV4_ADDR type field. 
name is the value to check against the ID_FQDN type field. 


user-—fqdn is the value to check against the ID_USER_FODN type field. 





To remove an identity from the list to check, use the no form of the above command. 
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When certificates are used for authentication, the following command allows verifying the content of the 
fields of the peer's certificate. This is accomplished by applying a certificate map (see 3.26.4) to the profile. 


CLI (crypto_profile)> match certificate <name> 


name is the name of the certificate map. 


To remove the certificate matching from the profile, use the no form of the above command. 


4.7.2.5 _ Hardware-Accelerated IPsec 


To enable hardware-accelerated encryption, use the following command in configuration mode: 


CLI (configure) > crypto engine enable 


To disable hardware-accelerated encryption, use the following command in configuration mode: 





CLI (configure)> crypto engine disable 


By default, the hardware-accelerated encryption is disabled. 


4.7.2.6 NAT Traversal 
4.7.2.6.1 NAT Traversal Activation 


To disable NAT Traversal on the router, and prevent it from using UDP port 4500, use the following 
command in configuration command mode: 


CLI (configure)> no crypto isakmp nat-traversal udp-encapsulation 


To restore the default configuration, and enable NAT Traversal on the equipment, and use UDP port 4500 
when possible, use the active form of the above command: 


CLI (configure)> crypto isakmp nat-traversal udp-encapsulation 
4.7.2.6.2 NAT Traversal Port 


To configure NAT Traversal on a specific port, use the following command in configuration command 
mode: 


CLI (configure) > crypto isakmp nat-traversal port <1-65535> 


To restore the default configuration, use the no form of the above command: 





CLI (configure)> no crypto isakmp nat-traversal port 
4.7.2.6.3 NAT Traversal Keepalive 


The NAT-Traversal detects NAT devices sitting in the middle of the IPsec tunnel path. NAT devices 
maintain a context to keep track of the IPsec session (tunnel). The context is removed after a certain 
timeout. In order to maintain the NAT entry in the intermediate NAT device, dummy UDP packets (with no 
payload) are periodically sent every 20 seconds. To change emission frequency of UDP keepalive 
packets, use the following command in configuration mode: 


CLI (configure)> crypto isakmp nat keepalive seconds <5-3600> 


To disable the NAT keepalive function, use the no form of the above command: 





CLI (configure)> no crypto isakmp nat keepalive 
4.7.2.6.4 NAT Traversal Vendor-ID 


Some IPsec connection setup may fail due to compatibility issues regarding NAT-Traversal payload type, 
encapsulation mode and vendor-id hash. Forcing the nat-traversal vendorid to draft-03 may 
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solve this problem: 


e rfc3947: (default) uses the RFC3947 settings regarding ISAKMP NATD and NATOA payload, UDP 
encapsulation mode and vendor-id hash. ISAKMP will fall back to the draft settings when the peer 
does not support the RFC3947. 


e draft-03: uses the "draft-ietf-ipsec-nat-t-ike-03" settings regarding ISAKMP NATD and NATOA 
payload, UDP encapsulation mode and vendor-id hash. 


CLI (configure)> crypto isakmp nat-traversal vendorid {rfc3947 | draft-—03} 
To restore the default configuration (r£c3947), use the no form of the above command: 
CLI (configure)> no crypto isakmp nat-traversal vendorid 


4.7.2.6.5 SNMP Traps 


In order to send SNMP traps for every IPsec log message, use the following command: 


CLI (configure)> [no] snmp traps ipsec 


In order to send SNMP traps related to the IKE protocol, use the following command: 


CLI (configure)> [no] snmp traps isakmp 
4.7.3 IPsec Statistics 


At any stage of the configuration, information about IPsec can be displayed. To display configuration 
information related to IPsec, use the following command line: 


CLI> show crypto config 


To display the IPsec SAs currently configured, use the following command line: 


CLI> show crypto ipsec sa 


To display the list of configured transform-sets, use the following command line: 
CLI> show crypto ipsec transform-set 
To display the list of configured crypto maps and their configuration or display the configuration of a 


specific crypto map or the configuration of a crypto map attached to an interface, use the following 
command line: 


CLI> show crypto map [name <name> | interface <interface_name>] 


To display the statistics on the IPsec related counters, use the following command line: 


CLI> show crypto [ah | esp | ipcomp | ipip] 


To clear IPsec counters displayed in the above command, use the following command line: 





CLI> clear crypto counters 


It is possible to clear all IPsec counters of SAs or per interface, by using the following command line: 


CLI> clear crypto sa { counters | interface <type> <unit> | spi <spi> 
{ah | esp | ipcomp} <A.B.C.D> } 


To display ISAKMP key configuration, use the following command line: 


CLI> show crypto isakmp key 


To display ISAKMP policy, use the following command line: 
CLI> show crypto isakmp policy 


To display ISAKMP security associations, use the following command line: 


CLI> show crypto isakmp sa 


To clear ISAKMP counters: 
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CLI> clear crypto isakmp 


To clear encapsulation-related counters: 





CLI> clear crypto {ah | ipip | esp | ipcomp } 


ipip corresponds to the IP tunnel encapsulation header. 
4.7.4 Debug Commands 


To debug payload packet processing: 
CLI> [no] debug crypto ipsec 


To debug ISAKMP issues: 
CLI> [no] debug crypto isakmp [level [<level>]] 





<level> (Optional): Specifies the amount of ISAKMP debug information available. The level can be set 
between 10 and 90. The default debug level is 20. 


4.7.5 Configuration Example 
4.7.5.1. | Manual Crypto Entries 


The following example illustrates how to configure an IPsec tunnel with manually configured keys. 






Router A Router B 






1 OES 212.199.8.1 212.199.8.2 NOste- O28 





Router A Configuration: 


configure terminal 

ip access-list extended subl 

permit ip 10.1.1.0 0.0.0.255 10.1.0.0 0.0.255.255 
exit 

crypto ipsec transform-set esp-—3des-sha 

esp-3des esp-sha-hmac 

exit 


crypto map ipsec-manual client 1 

! Defines a SA with manually configured keys for traffic that matches 
! the ACL subl 

match address subl 

set transform-set esp-—3des-sha 

! Warning: next 2 times 3 lines are 2 times one instruction! 
set security-association inbound esp 0x195831 
89ef6ee47969b514d0bbc77d99d3£69089a0£c3778474310 
6lac3e5e8a60bec99£54769b36264d0a7970124£ 

set security-association outbound esp 0x195832 
fea63clbae038fa13a931507a293128ea86£03ebfc43faab 
181a435£80900737b964ad64814fab7£69ccaab69 
exit 


interface ethernet 0 


ip address 10.1.1.1 255.255.255.0 
exit 
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interface tunnel 1 

! Apply the crypto map to the tunnel interface 
ip unnumbered atm 0.1 

tunnel source atm 0.1 

tunnel destination 212.199.8.2 

crypto map client 
exit 
interface atm 0.1 

ip address 212.199.8.1 255.255.255.0 
exit 
ip route 10.1.0.0 255.255.0.0 tunnel 1 


Router B Configuration: 


configure terminal 
ip access-list extended subl 

permit ip 10.1.2.0 0.0.0.255 10.1.0.0 0.0.255.255 
exit 
crypto ipsec transform-set esp-—3des-sha 

esp-3des esp-sha-hmac 
exit 
crypto map ipsec-manual client 1 

match address subl 

set transform-set esp-—3des-sha 

set security-association inbound esp 0x195832 
fea63clbae038fa1l3a931507a293128ea86f03ebfc43faab 
181a435£80900737b964ad64814fab7£69ccaab9 

set security-association outbound esp 0x195831 
89ef6ee47969b514d0bbc77d99d3 £6908 9a0Fc3778474310 
6lac3e5e8a60bec99f54769b36264d0a7970124£F 
exit 

interface ethernet 0 

ip address 10.1.2.1 255.255.255.0 
exit 

interface tunnel 1 

ip unnumbered atm 0.1 

tunnel source atm 0.1 

tunnel destination 212.199.8.1 

crypto map client 

exit 

interface atm 0.1 

ip address 212.199.8.2 255.255.255.0 

exit 

ip route 10.1.0.0 255.255.0.0 tunnel 1 


4.7.5.2 Client-Server Example 









Client 





Server 






10.1.3.0/24 10.1.1.0/24 


212.199.8.2 





212.199.8.1 





Client Configuration: 


configure terminal 

ip access-list extended subl 

permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 
exit 

crypto ipsec transform-set esp-—3des-sha 

esp-3des esp-sha-hmac 
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exit 

crypto isakmp key secretpassword address 212.199.8.1 
crypto isakmp policy 1 

encryption 3des 

hash md5 

lifetime 20000 

group 5 

exit 

crypto map ipsec-isakmp isakmp_client 1 
match address subl 

set peer 212.199.8.1 

set transform-set esp-—3des-sha 

set pfs group2 

set security-association lifetime seconds 5000 
exit 

interface ethernet 0 

ip address 10.1.2.1 255.255.255.0 
exit 

interface atm 0.1 

ip address 212.199.8.2 255.255.255.0 
crypto map isakmp_client 
exit 

ip route 10.1.2.0 255.255.0.0 212.199.8.1 


Server Configuration: 


configure terminal 
ip access-list standard subl 

! only match what comes from/goes to the LAN 
permit 10.1.1.0 0.0.0.255 
exit 
crypto ipsec transform-set esp-—3des-sha 
esp-3des esp-sha-hmac 
exit 
crypto isakmp key secretpassword address 0.0.0.0 0.0.0.0 
crypto isakmp policy 1 

encryption 3des-—cbc 

hash md5 

lifetime 20000 

group 5 
exit 
crypto dynamic dyn 

! Crypto map template 

match address subl 

set transform-set esp-—3des-sha 

set pfs group2 

set security-association lifetime seconds 5000 
exit 

! Creation of a policy entry 
crypto map dynamic isakmp_server 1 dyn 
interface ethernet 0 

ip address 10.1.1.1 255.255.255.0 
exit 
interface atm 0.1 

ip address 212.199.8.1 255.255.255.0 
crypto map isakmp_server 
exit 
ip route 0.0.0.0 255.255.255.255 atm 0.1 


4.7.5.3. Configuration Example of an EZVPN Client 


crypto engine enable 
crypto isakmp policy 1 
encryption 3des-cbc 
exit 
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crypto isakmp keepalive 60 20 


crypto ipsec client ezvpn TEST 
peer 172.31.124.229 

group cisco key ciscopassword 
username Brian password Adams 
connect auto 

exit 


interface FastEthernet 0/0 

ip address 172.31.124.233 255.255.255.248 
crypto ipsec client ezvpn TEST outside 
exit 


interface FastEthernet 0/1 

ip address 172.31.124.249 255.255.255.248 
ip address 9.9.9.9 255.255.255.0 secondary 
crypto ipsec client ezvpn TEST inside 

exit 


interface FastEthernet 0/2 
exit 


interface FastEthernet 0/3 
exit 


interface FastEthernet 1/0 

ip address 172.31.96.98 255.255.255.192 
crypto ipsec client ezvpn TEST inside 
exit 


interface Loopback 1 

ip address 4.4.4.4 255.255.255.255 
crypto ipsec client ezvpn TEST inside 
exit 


ip route 0.0.0.0 0.0.0.0 172.31.124.235 


4.7.5.4 | Configuration example with an IPsec profile 


ip access-list standard pc 
permit 172.31.100.0 0.0.0.255 
exit 


crypto ipsec transform-set esp-—3des-sha 
esp-3des esp-sha-hmac 
exit 


crypto isakmp keepalive 
crypto isakmp identity hostname 


crypto isakmp policy 1 
authentication rsa-sig 
encryption 3des-—cbc 

exit 


crypto isakmp profile myProfile 
self-identity hostname 

match certificate myCertmap 
exit 


crypto pki certificate map myCertmap 1 
subject-name co O=OneAccess 
subject-name co C=BE 

exit 
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crypto dynamic mydyn 

match address pc 

set transform-set esp-—3des-sha 
set isakmp-profile myProfile 
exit 


crypto map dynamic mymap 10 mydyn 


interface FastEthernet 0/1 
ip address 172.31.100.1 255.255.255.0 
exit 


interface FastEthernet 0/2 
ip address 192.168.1.1 255.255.255.0 


crypto map mymap 
exit 
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4.8 MISTRAL SECURITY 


4.8.1 Introduction 


The Mistral security is the result of Thales e-security technology integration within OneOS. The Mistral 
software consists of VPN encryption technology providing enhanced security and manageability through a 
seamless integration in Thales management system. The Thales management system provides the 
following main features: 


e Centralized key management 


e Security policy configuration are populated within every managed devices, be it OneAccess routers 
with the Mistral module or other Mistral security appliances 


e =©Alarms, security alerts 


The Mistral software encrypts and authenticates all the external flows by means of the AES standard 
algorithm and 128-bit keys. When enabling Mistral security on an interface, the security policies are 
applied for incoming and outgoing flows. At the inbound, the mistral security is applied before ACL; at the 
outbound, it is applied before NAT. 
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4.8.2 Configuring Mistral 
4.8.3 User Profiles 
The whoami command indicates which user profile is logged in. The command indicates the user profile 


number. The following profiles are pre-defined: 


e Profile 127: for network configuration. This profile grants the user an access to any CLI configuration 
command of OneOS that is not related to the Thales module. 


e Profile 15: for security configuration. Allows a user to activate and to configure the Mistral software 
module. 
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The Mistral security configuration and activation include three main stages: 
e Security activation, 
e Initialization via Mistral Management Center, 


e Acknowledgement of the security policies. 


4.8.4 Security Activation 


All frames to and from the encrypted interfaces are processed by the Mistral security module. In general, 
the encrypted interfaces are the interfaces connected to the WAN. Add the ‘ip ms-encryption’ 
command on interfaces where you wish to activate Mistral encryption. 


CLI (configure)> interface atm 0.1 
CLI (config-if)> [no] ip ms-encryption 
CLI (config-if)> exit 





Important: the security module is now activated: it is provided with its default configuration. Its default IP 
address is 127.0.0.1 and MUST be modified. 


The source address can be changed by selecting the source address from an interface of the router. This 
address is necessary for all secure transmissions (with the Mistral Management Center and the encrypted 
user flows). The address of an existing interface, or a “loopback” address created for this purpose, can be 
defined. The configuration commands are the following: 


CLI (configure) > ms-encryption 
CLI (ms-enc)> source atm 0.1 
Cl ms—enc)> execute 

Cl 


ms-enc)> exit 


LI 
LI 





Important: the Mistral VPN address can be modified at any time with this procedure during use. The 
management center is then warned and updates its configuration. 


By default, the Mistral module is provided with the following security policies allowing the module to 
authorize the RIPv2, OSPF, BGP and PING flows: 






































Source Destination Direction | Processing | Protocol Port 
0.0.0.0 (0) | 224.0.0.0 (24) | incoming Plain 89 (OSPF), 17 (UDP) | 520 (RIPv2) 
0.0.0.0 (0) | 224.0.0.0 (24) | outgoing Plain 89 (OSPF), 17 (UDP) | 520 (RIPv2) 
0.0.0.0 (0) | 0.0.0.0 (0) incoming Plain 1 (PING), 6 (TCP) 179 (BGP) 
0.0.0.0 (0) | 0.0.0.0 (0) outgoing Plain 1 (PING), 6 (TCP) 179 (BGP) 





Important: On the remote management, these security policies are erased. It is therefore necessary to 
provide them in the management center if they are used. 


Initialization (Management VPN) 


The security module must have been activated as indicated in the previous section. The management VPN 
initialization is carried out by means of an initialization file and carrier (PIN) codes. The PIN codes allow 
decrypting the initialization file. Please refer to the MMC user manual for information on the generation of 
the initialization file and carrier codes. 


Initialization requires the following operations: 


1. Enter into the security context with the ms—encryption command (available in the terminal menu- 
configure terminal command). 





2. Enter into the initialization file with the encrypted-data-init command and a copy/paste of the 
initialization file content. 


3. Enter the PIN code(s) with the pin-code-1 and optionally pin-code-2 commands. 


4. Validate the configuration with the execute command. If the configuration is correct, the new 
configuration is saved and the equipment takes it into account. Do not worry if Warnings’ appear: they 
are due to the Mistral VPN IP address initialization process. 


Important: The PIN codes must be entered from console port. Using the “telnet/SSH” protocol is not 
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authorized. 

Notes: 

e An integrity check is made on every entered PIN code. 

e Anintegrity check is made before decrypting the initialization parameters. 


If the configuration is corrupted or incorrect, the router does not take it into account and does not modify its 
current configuration. 


Configuration commands: 


CLI (ms-enc)> encrypted-data-init <init-string> 
> pin-code-1 <pinl> 

> [ pin-code-2 <pin2> ] 

> execute 

> exit 


4.8.6 Security Policy Acknowledgement 


Further to the initialization of the management VPN, the Mistral module is ready to dialog with the MMC. It 
automatically sends an auto-remote management request every minute. If the MMC is programmed to 
answer (which is recommended), then the Mistral module is remotely managed automatically and it 


receives these security tables (Security associations, security policies, keys, ... see the MISTRAL 
equipment user manual for further details on the remotely managed parameters). The traffic VPN are then 
created. 


The Mistral module can contain up to 50 security policies and 25 security associations (i.e. 25 secure 
VPN). 


Note1: This operation is usually carried out automatically (for this purpose, the auto-remote management 
option should be activated on the MMC). 


Note2: The MMC has to be correctly configured previously. Refer to the MISTRAL Management Center 
user manual for further information on the MISTRAL system configuration. 


4.8.6.1 | Configuration Examples 


The example shows how to allow the Internet flows for LAN station 192.168.103.2 (if the security policies 
issued from the Mistral Management Center authorize them). The other LAN stations use the Mistral VPN 
and are not authorized to use Internet. Because NAT is done before packet processing by the Mistral 
software, we need to declare a NAT bypass-list for the flows coming from 192.168.103.2 on the LAN. 


hostname OneMistral 
ip access-list extended acl_out 
permit udp 0.0.0.0 255.255.255.255 255.255.255.255 500 
permit tcp 0.0.0.0 255.255.255.255 0. -0 255.255.255.255 80 reflexive 
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 53 reflexive 
exit 
ip access-list extended acl_in 
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 500 
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 4500 
exit 
ip access-list standard nat_bypass 
deny 192.168.103.2 
permit any 
exit 
interface FastEthernet 0/0 
ip address 192.168.103.1 255.255.255.0 
exit 
interface adsl 0 
modem mode AUTO 
execute 
exit 
interface atm 0 
driver ident 0 
max channels 10 


oo 
oo 
oo 
oo 
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max vp 5 
max vc 8 
range vp min 0 max 255 
range vc min 32 max 100 
execute 
exit 
adsl 
execute 
exit 
exit 
interface atm 0.1 
Pvc pppoa vpi 8 vci 35 
ipecp dynamic 
ipecp dns-accept 
username fti/afegstg 
password wg6haze 
execute 
exit 
ip access-group acl_in in 
ip access-group acl_out out 
ip ms-encryption 
ip nat inside overload 
ip nat inside bypass-list nat_bypass 
exit 
ms-—encryption 
source Atm 0.1 
execute 
exit 
ip route 0.0.0.0 0.0.0.0 atm 0.1 
ip dhcp pool pooll 
network 192.168.103.0 255.255.255.0 
default-router 192.168.103.1 
dns-server 192.168.103.1 
exit 
ip dns-proxy dns-server learn 
exit 
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4.9 


4.9.1 
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LAYER TWO TUNNELING PROTOCOL (L2TP) 


Presentation 


L2TP is a protocol defined in RFC 2661, which enables subscribers using PPP to be connected to their 
home networks over a variety of transport technologies. PPP remote systems (subscribers) use different 
access technologies, such as ISDN, analog phone line (POTS) or DSL. A layer-two connection is normally 
achieved between the remote system and the Network Access Server (NAS) or the Broadband Access 
Server (BAS). Instead of terminating the PPP session in this device, the PPP session is relayed in a L2TP 
tunnel. 


PPP 
Remote 
System 

ISP/ 
Internet 


over ADSL, 
SHDSL, 
ISDN, ...) 














The PPP transport in L2TP is transparent to the PPP protocol. Therefore, the remote L2TP end-point is 
also the remote PPP endpoint and is called the L2TP Network Server (LNS). 


The peer device of the LNS is the L2TP Access Concentrator (LAC), which usually initiates the L2TP 
tunnel and encapsulates PPP packets from one or more PPP remote systems. 


When the LAC and remote system are combined in one router, the router creates a PPP virtual interface 
that directly encapsulates PPP packets in L2TP packets. The virtual interface forms what is called a LAC 
client tunnel interface. As a LAC client is a tunnel interface, the newly formed L2TP packets are re-routed 
by the router like in a GRE or IPsec tunnel. 


Page 4.9-307 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


LAC 
Client 


” 
- 
® 
> 
i] 
= 
fe} 
(5) 
fe} 
~ 
{e} 
= 
o 








The advantage of L2TP is to ease integration of PPP using various access technologies and to transport 
seamlessly PPP sessions across several providers’ networks. 


4.9.2 LNS Configuration 
4.9.2.1 Features 


The current version of OneOS provides the LNS function, with the following characteristics: 
e Configuration based on virtual profiles (PPP and L2TP) 
e Authentication of PPP users via RADIUS, support of redundant RADIUS servers 


e Configurable flow control and authentication procedures 
4.9.2.2. L2TP/PPP Virtual Template 


An L2TP/PPP virtual template is a template describing common characteristics of the PPP interfaces, 
which are set-up dynamically when a PPP session is established. The template makes reference to a PPP 
profile that describes common configuration parameters of the PPP layer. 


The virtual template describes the configuration parameters for the IP interfaces which are dynamically 
mounted when the PPP session is running. A user can configure in a virtual template the IP services which 
are managed by the routing software; these can be access lists, QoS, NAT ...etc. 


The configuration steps first require a PPP profile to be specified, this is done in the global configuration 
mode: 





CLI (configure)> interface virtual-template <12tp-ppp-template-id> 
CLI (configure-virtual-ppp)> ppp-profile <profile-id> 


<12tp-ppp-template-id> is a positive integer identifier, which uniquely references the template. The 
<profile-id> points to a PPP profile, which must have been defined as shown in section 4.3.5 (PPP 
with IPCP dynamic). Note that the CLI is entered in 'virtual-ppp' interface configuration mode. For 
this interface configuration mode, you can define some interface-independent IP services. Here are some 
examples: 





CLI (configure-virtual-ppp)> ip access-group test out 
CLI (configure-virtual-ppp) > service-policy output test 
CLI (configure-virtual-ppp)> ip nat inside overload 


To start the L2TP service, enter the following command from global configuration mode: 





CLI (configure)> 12tp enable 


Note: to disable the L2TP service, use the no 12tp enable command, which is the default status. 
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If the number of PPP sessions inside L2TP tunnels must be restricted to a specified value, use the 
following command: 


CLI (configure)> 12tp session-limit <1-300> 


By default, the number of sessions is limited to 300. 


It is then necessary to create an L2TP group that contains all configuration parameters for an L2TP tunnel, 
which is established with a single peer. The command is the following: 


CLI (configure)> 12tp-group <group-—name> 
<group-—name> is a string, uniquely identifying the L2TP group. The last command makes the CLI enter in 
L2TP configuration mode. 


When the first PPP session supported by the L2TP group is initiated, the L2TP tunnel must be first 
established. The LNS must match the LAC request with a L2TP group in order to determine which L2TP 
parameters shall be used. To do so, the LAC host name is used. The user must enter the LAC host name 
corresponding to the L2TP group: 


CLI (12tp-group) > terminate-from hostname <LAC-hostname> 


At this point, there are two configuration options: 
e _ Either Static configuration: all parameters are entered for this L2TP group 


e Or template-based configuration: all parameters are entered in a L2TP template. Then, the L2TP 
group configuration only makes reference to that template, which allows the configuration parameters 
only to be entered once for several groups. 


4.9.2.3. Static L2TP Group Configuration 


In this L2TP tunnel, the LNS receives PPP establishment requests. As a PPP server, the LNS must 
authenticate and return the IPCP parameters to the PPP caller after authentication. As PPP configuration 
parameters share common characteristics per caller, they are described in a L2TP/PPP virtual template 
(cf. section 4.9.2.2). The L2TP-group configuration only needs to refer to that configuration template (one 
single PPP template is accepted): 


CLI (config-l12tp-group)> lns-incoming 

CLI (config-lns)> virtual-template <template-id> 
CLI (config-lns)> exit 

CLI (config-1l2tp-group) > 


To authorize the L2TP tunnel establishment, an authentication between the L2TP peers can be required, 
using a login/password couple. The authentication is enabled using the following command: 

CLI (config-l2tp-group)> 12tp tunnel authentication 
Use no 12tp tunnel authentication to disable authentication. The authentication parameters are 
given as follows, beginning in 12tp-group configuration mode: 

CLI (config-1l2tp-group)> local name <hostname> 

CLI (config-l2tp-group)> 12tp tunnel password <password> 
If the login/password must be encrypted for authentication confidentiality, use the next command: 


CLI (config-l2tp-group)> 12tp hidden 


All the following parameters are optional. 


L2TP embeds a flow-control mechanism for PPP payload packets (disabled by default), which is activated 
using the following command: 


CLI (config-12tp-group)> 12tp sequencing 


Use no 12tp sequencing to disable flow control. Several other parameters can be entered: 


CLI (config-l2tp-group)> 12tp tunnel hello <interval> 


<interval> is the interval between each ‘hello' message that keeps the tunnel alive. Default: 60 sec. 
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CLI (config-1l2tp-group)> 12tp tunnel retransmit retries <retries> 


<retries> is the number of 'retries' to consider the L2TP tunnel as out-of-service. Default: 5. 


CLI (config-l2tp-group)> 12tp tunnel retransmit timeout max <interval> 


<interval> is the time between each retransmitted message. Default: 16 sec. 








CLI (config-l2tp-group)> 12tp tunnel receive-window <number-of-packets> 


<number-of-packets> is the number of PPP payload packets that can be sent without 
acknowledgement (only relevant if flow control is activated). Default: 4. 


CLI (config-l2tp-group)> 12tp tunnel inactivity timeout <interval> 


<interval> is the time with no data traffic after which the L2TP must be closed. Default: disabled. 
4.9.2.4 L2TP Group Configuration based on Templates 


The user can define a virtual template describing some L2TP group characteristics. The L2TP virtual 
template is assigned as follows, beginning in 12tp-group configuration mode: 


CLI (config-l2tp-group)> source 12tp-template 
CLI (config-l2tp-group)> exit 
CLI (configure) > 


One single virtual template can be configured as follows: 


CLI (configure)> 12tp-—template 
CLI (12tp-template) > 


The CLI has entered in L2TP template configuration mode. As PPP configuration parameters share 
common characteristics per caller, they are described in a L2TP/PPP virtual template (cf. section 4.9.2.2). 
The L2TP-group configuration only needs to refer to that configuration template (one single PPP template 
is accepted): 


CLI (config-l12tp-template) > lns-incoming 

CLI (config-lns)> virtual-template <template-id> 
( 
( 





CLI (config-lns)> exit 
CLI (config-12tp-—group) > 


To authorize the L2TP tunnel establishment, an authentication between the L2TP peers can be required, 
using a login/password couple. The authentication is enabled using the following command: 





CLI (config-l2tp-template)> 12tp tunnel authentication 


Use 'no 12tp tunnel authentication' to disable authentication. The authentication parameters 
are given as follows, beginning in 12tp-—group configuration mode: 





CLI (config-l2tp-template)> local name <hostname> 
CLI (config-l2tp-template)> 12tp tunnel password <password> 





If the login/password must be encrypted for authentication confidentiality, use the following command: 
CLI (config-l2tp-template)> 12tp hidden 





All the following parameters are optional. 


L2TP embeds a flow-control mechanism for PPP payload packets (disabled by default), which is activated 
using the following command: 


CLI (config-12tp-template)> 12tp sequencing 





Use 'no 12tp sequencing' to disable flow control. Several other parameters can be entered: 


CLI (config-l2tp-template)> 12tp tunnel hello <interval> 
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<interval> is the interval between each 'hello' message that keeps the tunnel alive. Default: 60 sec. 


CLI (config-1l2tp-template)> 12tp tunnel retransmit retries <retries> 





<retries> is the number of 'retries' to consider the L2TP tunnel as out-of-service. Default: 5. 





CLI (config-l2tp-template)> 12tp tunnel retransmit timeout max <interval> 





<interval> is the time between each retransmitted message. Default: 16 sec. 











CLI (config-l2tp-template)> 12tp tunnel receive-window <number-of-packets> 


<number-of-packets> is the number of PPP payload packets that can be sent without 
acknowledgement (only relevant if flow control is activated). Default: 4. 


CLI (config-l2tp-template)> 12tp tunnel inactivity timeout <interval> 





<interval> is the time with no data traffic after which the L2TP must be closed. Default: disabled. 


4.9.2.5 | LNS Configuration Example 


In this example, the LNS configuration enables the connection of 50 PPP subscribers connected through a 
DSL access network. 





PPP Subscribers RADIUS 














Server 


The L2TP tunnel is established between the LAC (named 'lac-32' for L2TP tunnel establishment) and 
the LNS. The PPP subscribers receive their IP address through the LNS server, which takes addresses 
from the address pool named 'ppp_virt3'. 


ip local pool ppp _virt3 60.3.1.1 60.3.1.50 
interface FastEthernet 0/0 

ip address 20.1.1.25 255.0.0.0 

exit 

interface Ethernet 0/0 

ip address 220.0.0.25 255.255.255.0 

ip address 192.178.10.25 255.255.255.0 secondary 
exit 


! Configure loopback address to unnumbered PPP interfaces 


interface Loopback 2 
ip address 70.0.0.1 255.255.255.0 
exit 


! Define template 11 for an L2TP group, which uses the PPP profile 1 
interface virtual-template 11 

ppp-profile 1 

exit 


! Characteristics of the PPP profile #1 
virtual-template ppp 1 
ipcp dynamic 
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ip unnumbered loopback 2 

mru local 1500 no 

authentication pap 

keepalive 10 

peer default ip pool ppp virt3 
radius-server 192.178.10.43 ip2002 
execute 

exit 


ip route 0.0.0.0 0.0.0.0 ethernet 0/0 


! L2TP settings 

12tp enable 

12tp-group test 
terminate-from hostname lac-—32 
12tp tunnel authentication 
12tp tunnel password mypwd 
ins-incoming 

virtual-template 11 

exit 

exit 


4.9.2.6 LNS Statistics and Debug 


To show L2TP tunnels, use the following command (‘all' provides detailed information): 


CLI> show 12tp tunnel [all] 


To show L2TP transport statistics at the UDP layer, use the following commands: 


CLI> show 12tp tunnel transport 


To show L2TP sessions, use the following commands: 


CLI> show 12tp session 


CLI> show 12tp session all 


Some debugging commands are also available to display on the console real-time execution of the 


L2TP/PPP protocol: 
All debug information: 
CLI> debug 12tp all 


Debug only alarms: 
CLI> debug 12tp alarm 


Debug the L2TP core information: 


CLI> debug 12tp core 


Debug L2TP protocol state transition information: 
CLI> debug 12tp fsm 


Debug L2TP-PPP interactions: 
CLI> debug 12tp ppp 


Debug L2TP-UDP interactions: 
CLI> debug 12tp transport 
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4.9.3 


4.9.3.1 


4.9.3.1 


LAC-Client 
Configuration 


As explained at the beginning of this section, a LAC-client interface consists of two layers of protocols: 
e L2TP: the L2TP layer parameters are configured within an 12tp_group. 


e PPP: the PPP parameters are configured within a virtual-template ppp, similarly to an ISDN 
dial-out interface. The configuration parameters found in a PPP virtual-template are not further 
explained in this section. For more information on such templates, please refer to section 4.3.5. The 
virtual-template is then associated with an L2TP-client tunnel interface (12tunnel). 


1 L2TP configuration 


To start the L2TP service, enter the following command from global configuration mode: 


CLI (configure)> 12tp enable 


Note: to disable the L2TP service, use the 12tp disable command, which is the default status. 


It is then necessary to create an L2TP group that contains all L2TP-layer configuration parameters, which 
is established with a single peer. The command is the following: 


CLI (configure)> 12tp-group <group-name> 
<group-name> is a string, uniquely identifying the L2TP group. The last command makes the CLI enter in 
L2TP configuration mode. 


When the first PPP session supported by the L2TP group is initiated, the L2TP tunnel must be first 
established. The LNS must match the LAC request with an L2TP group in order to determine which L2TP 
parameters shall be used. To do so, the LAC host name is used. The LAC-client hostname is configured 
as follows (it must correspond to the terminate-from hostname <hostname> on the LNS side): 


CLI(12tp-group)> local name <LAC-hostname> 
To authorize the L2TP tunnel establishment, an authentication between the L2TP peers can be required, 
using a login/password couple. The authentication is enabled using the following command: 

CLI (config-l2tp-group)> 12tp tunnel authentication 
Use no 12tp tunnel authentication to disable authentication. The authentication parameters are 
given as follows, beginning in 12tp-group configuration mode: 


CLI (config-l2tp-group)> 12tp tunnel password <password> 


If the login/password must be encrypted for authentication confidentiality, use the next command: 


CLI (config-l2tp-group)> 12tp hidden 


You must enter also the IP address of the LNS: 


CLI(12tp-group)> initiate-to ip { <lns-ip> [backup]| authorization } 


If you enter static IP addresses, only one main and one backup LNS are supported. OneOS attempts to 
contact the backup LNS only if the main LNS is not responding. If the main LNS is responding but the 
tunnel setup fails, the backup LNS is not contacted as it is assumed that the configured parameters are 
wrong. The backup LNS IP is entered by adding the keyword backup in the command. Instead of static IP, 
the IP addresses of the LNS routers can be retrieved via AAA (RADIUS) when the command 'initiate- 
to ip authorization’ is entered. Both modes (AAA or RADIUS) are mutually exclusive. The 
authorization mode becomes effective after that the next command is entered: 


CLI(configure)> aaa authorization network {radius | group <radius-aaa- 
group>} 
Please check that a route to the configured LNS is present in the routing table. 


Then, you must enter the domain name of the LAC-function. The domain name is understood as follows: in 
the PPP parameters, a username is defined for authentication. The username is always under the 
following form: <user>@<domaine.com>. When you will configure the 12tunnel interface (LAC 
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client), the L2TP domain name must match PPP domain name (if PPP username is “vivaldi@dependable- 
routers.com”, the L2TP domain name must be “dependable-routers.com”). The domain name is entered as 
follows: 


CLI (12tp-group) > lac-incoming 

CLI (lac-incoming) > domain <domain-name> 

CLI (lac-incoming)> exit 
lac-incoming refers to the fact the interface is seen as a L2TP access concentrator by the LNS and it 
establishes an incoming PPP session into the network accessed via the LNS. 


Optional Commands: 


L2TP embeds a flow-control mechanism for PPP payload packets (disabled by default), which is activated 
using the following command: 


CLI (config-12tp-group) > 12tp sequencing 


Use no 12tp sequencing to disable flow control. Several other parameters can be entered: 


CLI (config-12tp-group)> 12tp tunnel hello <interval> 


<interval> is the interval between each 'hello' message that keeps the tunnel alive. Default: 60 sec. 








CLI (config-l2tp-group)> 12tp tunnel retransmit retries <retries> 


<retries> is the number of 'retries' to consider the L2TP tunnel as out-of-service. Default: 5. 


CLI (config-l2tp-group)> 12tp tunnel retransmit timeout max <interval> 





<interval> is the time between each retransmitted message. Default: 16 sec. 








CLI (config-l2tp-group)> 12tp tunnel receive-window <number-of-packets> 
<number-of-packets> is the number of PPP payload packets that can be sent without 
acknowledgement (only relevant if flow control is activated). Default: 4. 


CLI (config-l2tp-group)> 12tp tunnel inactivity timeout <interval> 


<interval> is the time with no data traffic after which the L2TP must be closed. Default: disabled. 


Path MTU Discovery (PMTUD) is a function that forces the Don’t-Fragment (DF) bit of every L2TP packet 
to 1. If a packet whose DF=1 is routed on an interface having an MTU smaller than the packet, the packet 
is dropped and an ICMP error message is returned to the sender indicating the interface MTU. PMTUD 
takes into account this information and lowers automatically the MTU of the interface. To activate PMTUD, 
enter the following command: 


CLI(12tp-group)> [no] ip pmtu 
The TOS value of the encapsulated IP packet is copied into the L2TP IP header if the following command 
is entered (default: not active): 


CLI(12tp-group)> [no] ip tos 
4.9.3.1.2 | PPP-LAC-Client Tunnel Configuration 


To create the LAC-client tunnel interface, select the tunnel ID and enter under L2TP interface configuration 
mode from the global configuration mode: 


CLI (configure)> interface 12tunnel <tunnel-id> 


Attach then the PPP virtual template: 
CLI (config-if)> ppp-profile <ppp-virtual-template-id> 


As a logical IP interface, you can configure IP services under the L2TP interface as follows: 


CLI (config-if)> ip access-group <acl-name> in 
CLI (config-if)> ip tcp adjust-mss <length> 
CLI (config-if)> 
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4.9.3.1.3. LAC Tunnel Accounting 


If the following command is entered: 


CLI(configure)> aaa accounting network 


<acc-service-name> 


group <radius-aaa-group> [vendor-id-override <id>] 


start-stop 


Accounting messages (tunnel ON-OFF) are sent to the RADIUS server of the AAA group. By default, the 
vendor-id in the RADIUS request is OneAccess but it can be overridden to match <id> that is a numerical 


value. 


4.9.3.1.4 PPP-LAC-Client Configuration Example 


hotspot>show running-config 
Building configuration... 


Current configuration: 


hostname hotspot 
virtual-template ppp 1 
ipep static 
ip address 20.0.0.2 
authentication pap 
username bill@monica.com 
password toto 
reconnection automatic 
execute 
exit 
interface adsl 0 
modem mode AUTO 
execute 
exit 
interface atm 0 
driver ident 0 
max channels 10 
max vp 5 
max vc 8 
range vp min 0 max 255 
range vc min 32 max 100 
execute 
exit 
adsl 
execute 
exit 
exit 
interface atm 0.1 
pvc pppoa vpi 8 vci 36 
ipcep dynamic 
authentication pap 
username onel00@hotspot 
password toto 
execute 
exit 
ip nat inside overload 
exit 
ip route 0.0.0.0 
ip route 219.1.1. 
12tp enable 
12tp-group tunnel 
local name hotspot 
initiate-to ip 219.1.1.100 
lac-—incoming 
domain monica.com 
exit 
exit 
interface 12tunnel 1 


0.0.0.0 12tunnel 1 
0 


0 
255.255.255.0 221.13.10.20 
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ppp-profile 1 

ip tcp adjust-mss 1400 
ip nat inside overload 
exit 


4.9.3.2 LAC 


To show 
Cc 


To show 
iS 


To show 
e 


C 


Statistics and Debug 


L2TP tunnels, use the following command (‘all' provides detailed information): 


LI> show 12tp tunnel [all] 


L2TP transport statistics at the UDP layer, use the following commands: 


LI> show 12tp tunnel transport 


L2TP sessions, use the following commands: 


LI> show 12tp session 





LI> show 12tp session all 


A debugging command displays on the console real-time execution of the L2TP/PPP protocol: 


CLI> debug 12tunnel 


The next debugging command displays L2TP/PPP protocol state changes: 


CLI> event filter add wan 12tp all show 
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4.10 


VIRTUAL LAN AND PRIORITY TAGGING 


Virtual LAN (VLAN) is a technique to logically divide a network into small (generally layer-2) segments, 
which share the same physical media, but not the traffic. This section describes the main features of 
VLAN, VLAN Based Routing and their configuration. 


In addition, a LAN switch device is available on the OneOS-based product series. Please check the 
release notes of the hardware platform to see if such a switch is present in your product. If a LAN switch is 
present, switched VLAN and/or bridge can also be configured. 


4.10.1 Features 


4.10.1. 


1. Introduction to VLAN 


Depending on hardware platform, one or all of the following functions can be available: 
e VLAN based routing, available on all platforms. 


e LAN switching/routing without VLAN, available only if multi-port Ethernet module is present on the 
product. 


e LAN switching/routing with VLAN, available only if multi-port Ethernet module is present on the 
product. 


The ONE10 does offer neither port-based routing nor port-based VLAN. 


VLAN is often viewed as an information broadcast domain in a switched network. It is a way to logically 
group end stations, servers, located on different physical LAN segments. Hosts on the same VLAN can 
exchange messages regardless of their physical location as if they were on the same LAN segment. 


VLAN provides a different method to segment networks rather than using physical separation. For 
example, stations from the same project, or the same team, or the same department, or the same 
application, can be grouped in a VLAN. Traffic for the same VLAN is generally switched or bridged among 
different LAN segments. 


There are several methods to define VLAN in an organization. The most commonly used methods include: 


e Port based VLAN. VLAN membership is specified by ports. For example, ports 0, 2 and 3 form VLAN 
1, ports 1 and 4 form VLAN 2. 


e MAC address based VLAN. VLAN membership is specified by a group of MAC addresses. Using this 
method, a station can be moved from a port to another without problem. 


e Layer 3 defined VLAN. VLAN membership is specified by layer 3 or higher layer information, for 
example, by using IP addresses. 


A port based VLAN is shown in the following figure. Between ports of the same VLAN, traffic is switched or 
bridged, which gives better performance and flexibility. Traffic between different VLANs can be routed by 
the IP layer. As such, different VLANs are also separated by different network addresses. For example, in 
the following diagram (showing a router with a VLAN-enabled Ethernet switch), traffic between port 2 and 
port 3 is switched as they are part of the same VLAN. Traffic between port 1 and port 2 is routed as they 
do not belong to the same VLAN. 
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On an OneOS-based router without LAN switch, it is allowed to create up to 255 VLANs if needed on a 
physical LAN port. On an OneOS-based router with a LAN switch, one single VLAN can be configured per 
port. 


If more than one VLAN sub-interface is configured, layer-two switching is not possible. 


Each VLAN should be identified by a VLAN ID, also Known as VLAN tag. VLAN frames are encapsulated 
in IEEE 802.1Q defined VLAN format, which prescribes a new VLAN header to be inserted after the IEEE 
802.3 header. The format of VLAN frames is shown in the following figure: 


6 bytes 6 bytes 4 bytes 2 bytes 4 bytes 


EtherType 0x8100 /PRI| CF VLAN ID 








16 bits 3 bits 1bit 12 bits 


e — PRI: User Priority 
e CFI: Canonical Frame Identifier 


e FCS: Frame Check-Sum 
4.10.1.2 Priority Tagging 


The standard 802.1d and 802.1p define the three priority bits in VLAN header as indicated the packet 
priority. The priority is a value ranging from 0 to 7. The priority is mapped into access categories. Some 
Ethernet switches are able to manage queues with strict priority queuing based on the priority value. 
Priority queuing means that a queue can transmit if the medium is free and the queues of higher priority 
are empty. Switch interfaces on OneAccess products do not support this queuing. The default 
categories are: 
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Access Categories CoS Priority (802.1q/p) 

Voice 7,6 Highest priority 
Video 5,4 

Best Effort 0,3 

Background 2,1 Lowest priority 














OneOS-based products are able to tag Ethernet packets with the desired priority as well as classifying 
incoming packets based on their VLAN priority. 802.1p marking is available on all interfaces that support 
802.1Q encapsulation. 


The following interfaces support VLAN configuration: 
e _Ethernet/FastEthernet sub-interfaces 

e ATM AAL5D sub-interfaces 

e Dott 1radio sub-interfaces 

e BVI (over Ethernet/FastEthernet/WiFi/IPoA) 


e EFM sub-interfaces 


As of V4.2R5 software release, double-tagged (or stacked) VLANs are available according to 802.1ad. 
Double-tagging is also known as 802.1Q-in-Q. 


The following interfaces support Q-in-Q configuration: 
e  Ethernet/FastEthernet sub-interfaces 
e ATM AAL5D sub-interfaces 


4.10.2 Configuration Commands 


A VLAN interface is a virtual sub-interface created on a physical Ethernet interface, namely: FastEthernet, 
EFM (over G.SHDSL.bis), ATM-AAL5, Bridge virtual interface (BVI). Multiple VLAN sub-interfaces can be 
configured on a single physical interface. To create a VLAN interface, use the following command in global 
configuration mode: 


CLI (configure)> interface { FastEthernet <module>/<port>.<sub-interface> 
| Ethernet <port>.<sub-interface> 
| atm-aal5 <slot>/<port>.<sub-interface> 
| bvi <id> 
| efm 0.<sub-interface> } 
Sub-interface number must be specified and must be in the range from 1 to 255. This command, if 
successful, enters in interface configuration mode. 


To delete a VLAN interface, use the no form of the above command. 


In order for a VLAN interface to function, a VLAN ID must be set using the following command in interface 
configuration mode: 


CLI (config-if)> encapsulation dot1Q <vlan-id> [default-pri <0..7> ] 
[ native ] 


vlan-id is an integer ranging from 1 to 4095. It has no default value. If the Keyword native is present, 
this VLAN becomes a native VLAN. On native VLANs, only IEEE 802.3 encapsulation is used (no VLAN 
header is included in the frame). They are targeted for use with LAN stations, which are part of a VLAN but 
not able to decode IEEE 802.1Q encapsulated frames (use of conventional Ethernet frames). Only one 
single native VLAN per port can be declared as no VLAN header is present to discriminate two VLANs. 
default-pri <0O..7> is the default VLAN priority. To remove default priority, enter the command 
encapsulation <id> [native]. native parameter is still available after default-pri keyword; 
this can make sense for use with WLAN interface. If policy-based routing or IP QoS have tagged the 
priority bits, the default-—pri value is overridden. 
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4.10. 


4.10. 


To remove dot1Q encapsulation, use the command default encapsulation. 


The native mode is supported on the switch of the OneOS-based routers as of V3.7R11. 


To create a Q-in-Q VLAN interface, use the following command in global configuration mode: 


CLI (configure)> interface { FastEthernet <module>/<port>.<sub-interface> 
| Ethernet <port>.<sub-interface> 
| atm-aal5 <slot>/<port>.<sub-interface> } 


Sub-interface number must be specified and must be in the range from 1 to 255. This command, if 
successful, enters in interface configuration mode. 


In order for a VLAN interface to function in Q-in-Q mode, a provider VLAN ID and a customer VLAN ID 
must be set using the following command in interface configuration mode: 


CLI (config-if)> encapsulation dot1Q <S-vlan-id> [default-pri <0..7> ] 
[second-—dot1Q <C-vlan-id>] [ native ] 


S-vlan-id and C-vlan-id are integers ranging from 1 to 4095. They have no default value. See the 
encapsulation dot1Q <vlan-id> command above for more information. 


In order for a VLAN interface to function as a routing interface, an IP address must be set. To do it, use the 
following command in interface configuration mode: 


CLI (config-if)> ip address <address> [<mask>] [secondary] 


You can configure any IP services on such sub-interfaces, such as NAT, ACL, QoS, policy-routing, and ... 


To delete an IP address, use the no form of the above command. 
3 Statistics 


To display statistics about the existing VLAN, use the following command: 


CLI> show vlans 

802.10 Virtual LAN: FastEthernet 0/0.1, VLAN ID: 10 
IN: 8 packets, 628 bytes 

OUT: 6 packets, 524 bytes 

802.10 Virtual LAN: Ethernet 0/0.1, VLAN ID: 20 

IN: 11 packets, 1456 bytes 

OUT: 10 packets, 1346 bytes 











To display information about the existing bridge groups, use the following command: 


CLI> show bridge-group 

Bridge group 1: 

FastEthernet 0/0.10, FastEthernet 0/2.10, FastEthernet 0/3.10 
Bridge group 2: 
FastEthernet 0/1.20, FastEthernet 0/1.20 











4 Debug and Trace 


To enable IP interface debugging, use the following command: 


CLI> debug ip interface 


To disable IP interface debugging, use the 'no' form of the above command. 
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4.11 BRIDGE VIRTUAL INTERFACE (BVI) AND LAN SWITCHING 


4.11.1 Introduction and Features 
4.11.1.1 Setting Up an Ethernet Switch 


An Ethernet switch is a network component that can bridge Ethernet frames between its Ethernet ports. 
The Ethernet switch keeps track of MAC addresses associated with ports, so that the switch knows where 
to forward an Ethernet frame based on the destination MAC address. When the switch is connected to a 
router via a single port, the router ‘sees’ workstations connected to this switch as a LAN network; they are 
reachable through a physical Ethernet interface. 


When the switch is built in the router, the routing software still ‘sees’ these workstation as a LAN network. 
The difference is that they are not reached via a physical interface but rather through a virtual interface, 
called Bridge Virtual Interface (BVI). 


FastEthernet interfaces (physical Ethernet ports) and sub-interfaces (VLAN sub-interfaces) can be 
member of a BVI and thus form an Ethernet switching group. The BVI membership is defined by using the 
same bridge-group ID on FastEthernet interfaces/sub-interfaces. 


A BVI interface is ‘up’ as long as at least one interface having the same bridge-group ID is ‘up’. A BVI 
interface is ‘down’ when all BVI member interfaces are ‘down’. 


The following diagram show how a router with a 5 port-switch can be divided into 2 Ethernet switches by 
configuring 2 BVI: 


Routing Software 


192.168.1.1/24 10.100.1.1/24 


FastEthernet | FastEthernet | FastEthernet | FastEthernet | FastEthernet 
0/0 0/1 0/2 0/3 0/4 





Note: in previous OneOS releases, BVI interfaces did not exist. Therefore, switching was configured that 
way on an Ethernet switch: 


interface fastEthernet 0/0 

ip address 192.168.1.1 255.255.255.0 
bridge-group 2 
exit 

interface fastEthernet 0/1 
bridge-group 2 
exit 
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It is strongly recommended to use BVI interfaces instead. The previous method is supported but 
deprecated, as the BVI offers a better state management of the interface. 


Multiple MAC Addresses 


The standard behavior is that the router has a single MAC address facing the switch. Even if the router has 
different BVI groups or routed FastEthernet ports on the switch, the router is addressed by the same MAC 
address. This feature is useful with VRRP to avoid that a firewall drops packets with the same IP and 
different MAC. Also, the standard behavior is recommended if the router is connected to another switch via 
several ports (to avoid loops). However, multiple MAC addresses can be assigned. 


4.11.1.2 Integrated Routing and Bridging (IRB) and PVC Multiplexing Layers 


The purpose of IRB is to provide a bridging service between LAN/VLAN interfaces and ATM PVCs. The 
bridging architecture is represented below: 


Virtual 
Ethernet 
Interface 
IP Module 


NAT/Firewall/QoS/Routing 


Bridge (BVI) 






Bridge Interfaces Bridge Interfaces IPoA, PPPoE 


Ethernet Ethernet oo PVC Multiplexing Other PVC 


/VLAN /VLAN 


In the previous example, the BVI interfaces had the following role: 
e Create a virtual interface, seen from the IP routing software. 


e Activate hardware-based layer-two switching between Ethernet ports (or VLAN sub-interfaces) in the 
switching component. 


How Bridging Works 


With the IRB function, bridging between different interfaces (other Ethernet ports, ATM interfaces) is 
possible via software. If a packet coming from the LAN has a destination Ethernet address that matches 
the BVI MAC address, the packet is forwarded to the IP module and it is routed. If the destination MAC 
address is not the BVI MAC address, bridging applies. 


At the beginning, the bridge has no entries in its cache to record the match between a MAC address and 
an interface port. An IP station tries to learn the MAC address of its default IP gateway. A MAC ARP- 
request is sent. The bridge forwards the ARP request to all interfaces, including to the IP module. It 
enables the station to learn the MAC address of the virtual Ethernet interface of the IP module. Then, the 
IP stations use the learned MAC address as destination MAC address when a packet must be sent over 
the WAN. 


When a frame enters an interface, there are two cases: 


e Either the bridge has "learned" that the MAC destination address designates a station found on the 
same LAN as the port. Therefore, the Ethernet frame does not need to be bridged to another port. A 
"local filtering" is thus achieved. The learning is an auto learning process: when the local filtering 
intercepts an Ethernet frame, the source MAC address of which is unknown, the MAC address is 
recorded in the local filtering table of the interface. To allow proper working when stations are moved, 
an aging process removes MAC addresses from the table when they are idle for a certain period of 
time. 


e Or the MAC destination address is unknown in the local filtering table and the frame is forwarded to 
internal bridging component. 


The bridging sub-component maintains a similar table as the local filtering. When a frame enters the 
bridging module, the software searches throughout the table whether the MAC destination address is 
known or not. If the address is unknown, the frame is broadcast to any interface (except the interface, 
which the frame is from). If the address is known, the table entry provides the interface, to which the frame 
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shall be sent. The table is built by inserting new table entries when a frame is received: if the MAC source 
address is unknown in the table, the MAC address and the interface where the frame was received is 
recorded in the table. An aging parameter enables the removal of MAC entries when the MAC is not used. 
The number of entries is limited, which increases bridge performance. The total number of recorded MAC 
addresses is a maximum of 1024. In case new MAC addresses must be learnt, the new MAC address 
replaces the oldest MAC address stored. 


About PVC Multiplexing 


To multiplex traditional IP frames (encapsulated in IPoA) and bridged Ethernet frames in the same AAL-5 
PVC, a special header (LLC/SNAP) must be added at the beginning of the AAL-5 payload. The LLC/SNAP 
header defines the payload type (RFC 2684), which enables to differentiate IPoA encapsulation from 
bridged Ethernet frames. When PPPoEOoA is multiplexed with other bridged flows, the discrimination 
between the flows is done by examining the destination MAC address of incoming Ethernet frames. If the 
destination MAC address of such incoming frames matches the PPPoE PVC MAC address, the frame is 
forwarded to the PPPoE software module, otherwise it is forwarded to the bridging software module. 
Therefore it is mandatory that the LLC/SNAP encapsulation be used when you need IRB. 


QoS Management on PVC Multiplexing Interface 


Flows are prioritized not according to their origin (IPoA, PPPoE, and Bridge Ethernet) but rather based on 
an internal packet tagging. This tag indicates whether a packet is a priority frame or not. The tag is a flag in 
a memory context associated to the packet, but the tag is not a field in the packet. If the frame is tagged 
and IRB is enabled on that interface, the frame is inserted at the beginning of the emission queue (transmit 
ring), so that the frame get absolute priority and low latency. 


Tagging is implicit: when a packet is processed through an output QoS policy and if the packet is matched 
by a priority class, the packet is tagged. 
4.11.2 BVI Configuration 


The first step is to declare the BVI interface and to assign IP parameters: 


CLI (configure)> interface bvi <1..255> 
CLI (config-if)> ip address { dhcp | <ip-address> <netmask> } 





A BVI is just a standard IP interface where you can configure any type of IP services such as ACL, NAT, 
QoS, routing, ... By default, the BVI interface use the FastEthernet 0/0 MAC address with no VLAN 
encapsulation. To assign a VLAN ID to the BVI interface, enter the following command under BVI 
configuration mode: 


CLI (config-if)> encapsulation dot1Q <1..4095> 


Where <1..4095> is the VLAN ID value. To remove dotiQ encapsulation, use the command 'default 
encapsulation’. You must then specify a bridge-group. A bridge-group is a unique, arbitrary identifier 
designating BVI membership of physical interfaces. 


CLI (config-if)> bridge-group <1..255> 
CLI (config-if)> exit 





You must declare in each bridged interface to which bridge group they belong. The command syntax is: 


CLI (configure)> interface { ethernet <port>[.<vlan-if-id>] | 
fastEthernet <slot>/<port>[.<vlan-if-id>] | 
atm 0.<if-id> | 
atm-aal5 <x>.<y>[.<z>] } 


CLI (config-if)> bridge-group <group-id> 


If you would like that the VLAN tag be removed on a specified FastEthernet sub-interface, please enter the 
following command under FastEthernet sub-interface configuration mode: 

CLI (config-if)> encapsulation dot1Q <1..4095> [native] 
The keyword native tells the router that the VLAN tag must be removed. In that case, only one sub- 
interface is allowed on this port. 
Warning: 


A BVI interface must be considered as a virtual FastEthernet interface. It is therefore not possible to do per 
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interface routing, but routing based on next-hop. The MAC address of next-hop is resolved per ARP and 
must be within BVI network. The next-hop IP cannot be the BVI IP. 


Invalid example: 


interface bvi 1 

ip address 10.100.1.1 255.255.255.0 
bridge-group 10 
exit 
interface fastEthernet 0/0 

bridge-group 10 
exit 

! Wrong: cannot route on this interface 
ip route 0.0.0.0 0.0.0.0 bvi 1 





Valid example: 


interface bvi 1 

ip address 10.100.1.1 255.255.255.0 
bridge-group 10 
exit 
interface fastEthernet 0/0 

bridge-group 10 
exit 

! 10.100.1.2 is part of 10.100.1.1/24 network 
! The static route below is then valid 
ip route 0.0.0.0 0.0.0.0 10.100.1.2 





4.11.3 Specific Switch Commands 


4.11 


It is possible to set some characteristics of every Fast Ethernet ports only when the routers are equipped 
with an Ethernet switch. The default mode is automatic crossover. But you can change the interface so 
that it is always straight (MDI) or crossed (MDIX): 


CLI (configure)> interface fastethernet 0/<0..5> 
CLI (config-if)> phy crossover {default | MDI | MDIX | auto } 


To configure the switch an extended cable length: 


CLI (config-if)> phy extended-distance {default | normal | enabled } 


To configure the switch to be optimized for shielded/unshielded cable: 


CLI (config-if)> phy twisted-pair { default | unshielded | shielded } 


.4Multiple MAC Addresses on Switch Ports 


Warning: this functionality may lead to degraded performance when enabled on ONECelI25, 
ONE60, ONE100A and ONE200. 


To allow OneOS to use many MAC addresses, use the next command (default: disable): 


CLI (configure)> multi-mac-address { enable | disable } 


If multi-mac-address is enabled: 
e FastEthernet ports of the switch interface with an IP address get a different MAC address. 


e If VRRP is used, the virtual router can use a virtual MAC address for the VRID and a physical MAC 
address for FastEthernet ports simultaneously. 


e One can assign MAC addresses to BVI or VLAN interfaces (default MAC remains the Mac address of 
FastEthernet 0/0). If the MAC address is changed, OneOS checks that the new MAC is different from 
the MAC assigned to another BVI or VLAN. 


To set the MAC address on VLAN/BVI: 


CLI (configure)> interface { bvi <id> | fastEthernet 0/<0..3>.<y> } 
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CLI (config-if)> { mac-address <xx:xx:xXxX!:xXX!XX!XX> 
| mac5 | mac6 | mac7 
| default mac-address } 


mac5, mac6, mac7 are available MAC addresses as listed in the product information area. 


Show command: 


CLI> show system statistics multi-mac-address 
### Multi MAC Address feature is ACTIVE 
nb multi-mac featur nabl 
nb multi-mac feature disable 
nb get physical addr. req. 
nb add logical addr. req. 
nb del logical addr. req. 
nb addr. get from PIA 
nb addr. added in filter 
nb addr. removed from filter 
nb delete all addr. in filter 
### CTRL_O MAC Address Filter 
4 MAC Addr. in the filter 
00:12:EF:04:8A:6C 
00:12:EF:08:8A:6C 
00:12:EF:0C:8A:6C 
00:12:EF:14:8A:6C 
### CTRL_1 MAC Address Filter 
OQ MAC Addr. in the filter 








NOANDOFRFR DEN 





4.11.5 Examples 
4.11.5.1_ Simple Ethernet Switch 


The following configuration activates layer-2 switching on FastEthernet ports #0 to #8: 


interface bvi 1 

ip address 192.168.1.1 255.255.255.0 
bridge-group 10 

exit 

interface fastethernet 0/0 
bridge-group 10 

exit 

interface fastethernet 0/1 
bridge-group 10 

exit 

interface fastethernet 0/2 
bridge-group 10 

exit 

interface fastethernet 0/3 
bridge-group 10 

exit 


4.11.5.2 VLAN Ethernet Switch 


On the next configuration, there is one BVI: it is VLAN-based (VLAN ID = 101). Port #0 is a true VLAN 
port, whereas Port #1 is member of this VLAN without the VLAN header. 


Warning: such configuration is not possible on the ONE10 as a single VLAN per port is supported. 


interface bvi 1 

ip address 192.168.1.1 255.255.255.0 
bridge-group 1 

encapsulation dot1Q 101 

exit 

interface fastethernet 0/0.1 
encapsulation dot1Q 101 
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bridge-group 1 

exit 

interface fastethernet 0/1.1 
encapsulation dot1Q 101 native 
bridge-group 1 

exit 


4.11.5.3 Simple ATM Bridging 


The following example shows an Ethernet interface that is bridged over an ATM PVC. 


interface bvi 1 
ip address 192.168.1.1 255.255.255.0 
bridge-group 10 
exit 
interface fastethernet 0/0 
bridge-group 10 
exit 
inteface atm 0.1 
pvc ipoa vpi 8 vci 35 
ip address 10.10.10.12 255.255.255.0 
qos ubr 2304000 
execute 
exit 
bridge-group 10 
exit 


4.11.5.4 IP Encapsulation in IPoEoA 


The following example shows how to send IP frames encapsulated in Ethernet. 


interface bvi 1 
ip address 10.100.1.1 255.255.255.0 
bridge-group 10 
exit 
interface atm 0.1 
pvc ipoa vpi 8 vci 35 
ip address 10.1.1.1 255.255.255.0 
qos ubr 2304000 
execute 
exit 
bridge-group 10 
exit 
ip route 0.0.0.0 0.0.0.0 10.100.1.2 


4.11.5.5 Priority-Queuing with IPOEOA and PPPoEoA 


The following example is the same as the previous one, except that we want IPoE to have absolute priority 


over the PPPoEOA flow. 


class-map takeall 
match any 
exit 
policy-map absolute-prio 
! Class-default is actually not used, but the configuration 
! requires that its bandwidth be not empty 
class class-default 
bandwidth percent 1 
exit 
class takeall 
priority percent 99 
exit 
exit 
interface bvi 1 
ip address 10.100.1.1 255.255.255.0 
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bridge-group 10 
service-policy output absolute-prio 
exit 
interface atm 0.1 
Pvc pppoeoa vpi 8 vci 35 
username **** 
password **** 
ipcp dynamic 
qos ubr 2304000 
execute 
exit 
ip nat inside overload 
bridge-group 10 
exit 


4.11.5.6 ATM Bridging with VLAN Mapping 


The objective of VLAN mapping is to bridge flows from VLAN ID 101 on PVC #1 and VLAN 202 on 
PVC #2. 


interface bvi 1 
ip address 192.168.1.1 255.255.255.0 
bridge-group 101 
encapsulation dot1Q 101 
exit 
interface bvi 2 
ip address 10.100.1.1 255.255.255.0 
bridge-group 202 
encapsulation dot1Q 202 
exit 
interface fastethernet 0/0.1 
bridge-group 101 
exit 
interface fastethernet 0/0.2 
bridge-group 202 
exit 
interface atm 0.1 
pvc ipoa vpi 8 vci 35 
ip address 10.10.10.10 255.255.255.0 
qos ubr 2304000 
execute 
exit 
bridge-group 101 
exit 
interface atm 0.2 
pvc ipoa vpi 8 vci 36 
ip address 10.10.12.12 255.255.255.0 
qos ubr 2304000 
execute 
exit 
bridge-group 202 
exit 


4.11.5.7 Several VLAN over one PVC 


The following example creates an ATM PVC (VPI 8, VCI 35) with 3 VLAN (10, 20, and 30) in the PVC. 


configure terminal 
interface atm 0 
driver ident 0 
max vp 8 
max vc 8 
range vp min 0 max 20 
range vc min O max 500 
execute 
exit 
gshdsl 
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linerate fixed 2304 


execute 
exit 
exit 
virtual-template pvc 1 
execute 
exit 
interface atm-aal5 0.1 
pve vpi 8 vci 35 
profile-pvc 1 
exit 
exit 
interface atm-aal5 0.1.10 
ip address 10.10.10.10 255.255.255.0 
encapsulation dot1Q 10 
exit 
interface atm-aal5 0.1.20 
ip address 20.20.20.20 255.255.255.0 
encapsulation dot1Q 20 
exit 
interface atm-aal5 0.1.30 
ip address 30.30.30.30 255.255.255.0 
encapsulation dot1Q 30 
exit 
exit 


The following example adds layer 2 QoS over VLAN to the previous example. 


configure terminal 
class-map cvlan10 
match vlan 10 
exit 
class-map cvlan20 
match vlan 20 
exit 
class-map cvlan30 
match vlan 30 
exit 
policy-map pvlanl10 
class cvlani10 
bandwidth percent 30 
exit 
exit 
policy-map pvlan20 
class cvlan20 
bandwidth percent 30 
exit 
exit 
policy-map pvlan30 
class cvlan30 
bandwidth percent 40 
exit 
exit 
policy-map atmpvc 
class cvlani10 
service-policy pvlanl0 
exit 
class cvlan20 
service-policy pvlan20 
exit 
class cvlan30 
service-policy pvlan30 
exit 
exit 
interface atm 0 
driver ident 0 
max vp 8 
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max vc 8 

range vp min 0 max 
range vc min 0 max 
execute 

exit 
gshdsl 


linerate fixed 2304 


execute 

exit 

exit 
virtual-template pvc 
execute 

exit 


interface atm-aal 0.1 


pve vpi 8 vci 35 
profile-pvc 1 
exit 
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20 
500 


1 


service-policy output atmpvc 


exit 

interface atm-aal5 0. 
ip address 10.10.10. 
encapsulation dotlq 
exit 

interface atm-aal5 0. 
ip address 20.20.20. 
encapsulation dotlq 
exit 
interface atm-aal5 0. 
ip address 30.30.30. 


1.10 
10 255.255.255.0 
10 


1.20 
20 255.255.255.0 
20 


1.30 
30 255.255.255.0 


encapsulation dotlq 30 
exit 
exit 


4.11.6 Debug & Show Functions 


To view the bridge group cache: 


CLI> show bridge-group cache [<group-id>] 


To clear the cache content for all groups: 


CLI> clear bridge-group cache [<group-id>] 


To debug issues related to bridge configuration: 
CLI> debug bridge 
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4.12 IP ACCESS LISTS 


This section describes the features of IP Access Control Lists (ACL) and their configuration. 
4.12.1 Features 


IP Access Control Lists, or simply, Access Lists, provide an efficient means to protect corporate networks 
against potential outside intruders and to control access rights for inside users. They can be used to 
perform simple access control (on source address, for example) or advanced control (on any combination 
of IP and transport protocol header fields). Users generally install access lists on the edge router to filter 
traffic incoming and outgoing the interface connected to the public network. 


Access lists can be considered containers of filters, which in turn define specific criteria for matching IP 
packets. Each filter also specifies the action (i.e., permit or deny) to be performed when matching a packet. 
Access lists can be applied to any interface in either the inbound or outbound direction. 


4.12.1.1 Standard Access Lists 


Standard access lists are the simplest form of access control. They provide traffic filtering only on IP 
source addresses. 


4.12.1.2_ Extended Access Lists 


Extended access lists provide advanced traffic filtering. They can filter packets using any combination of 
the following IP and transport protocol header fields: IP source and destination addresses, DSCP code, IP 
protocol identifier, TCP/UDP source and destination port numbers, as well as ICMP type and code. 


4.12.1.3 Reflexive Access Lists 


An extended access list can be reflexive. When a flow matches this list and the action is permitted, an 
appropriate temporary filter will be automatically set up in the reverse direction to allow subsequent 
session messages to pass through the device. Reflexive access lists are very useful for protection against 
address spoofing. With reflexive access lists, it becomes very easy to allow sessions to be initiated only 
from inside hosts. 


4.12.1.4 Local Access Lists 


A local access list matches only the local traffic (i.e. traffic destined to or generated by the router). Local 
access lists are useful, when there is a NAT inside overload configuration, to limit the access to the router 
without interfering with other traffics. The local access lists can be either standard or extended access lists. 


4.12.1.5 Reverse Path Forwarding 


A malicious user may steal the address of another host and use it as source address to carry out attacks 
on the network; for example, DOS (Denial of Service) attacks. In this case, it is very difficult to trace the 
source of the intrusion(s). With reverse path forwarding (RPF), the source address of a packet is checked 
and used to find a reverse route. The packet is forwarded only if a reverse route to the source is found, 
and the packet is received from the output interface of that route. 


4.12.1.6 ICMP Unreachable 


When a packet is dropped by an access list, an ICMP unreachable message can be sent according to a 
configuration parameter. 
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4.12.1.7 Context Based Access Control 


Access lists can track FTP control sessions so that appropriate actions can be performed for FTP data 
transfer sessions (for example, reflexive access lists). In addition, access lists perform session-based 
control for protocols such as TCP, UDP and ICMP. 


This control mode enables also full TCP packet inspection, namely detection of TCP SYN packets initiating 
the connection, RST or FIN packets ending the connection. TCP packet inspection also protects from TCP 
sequencing replay. 


Such control also limits the configured maximum number of sessions and TCP half-sessions on the router. 
(A half session is a session for which only a SYN packet was intercepted and the router waits for a 
SYN_ACK packet). When the limits are reached, packets are dropped. 


4.12.1.8 Per-Host Inspection 


When context based access-control is not enabled, per-host inspection controls the number of sessions 
per—source host. Each session initiated by a host is accounted. When the number of sessions for the same 
source host reaches a defined threshold, further packets are dropped. Log messages inform the 
administrator about a potential attack. Such limitation per host protects the router against some flooding 
attacks: without per host inspection, a user may initiate many sessions until the maximum number of 
sessions is reached. When the global session limit is reached, the router drops any packet opening a new 
session, until some sessions are removed. 


When context based access-control is not enabled, per-host inspection also controls the maximum number 
of half-sessions per host, thus preventing SYN-flooding attacks. 


4.12.1.9 Fragmentation 


Fragmented packets can be used to attack a network (known as tiny fragment attacks). To protect the 
inside network from this type of attack, the following mechanism is implemented by default. The first initial 
fragment, which contains all information necessary for matching access lists, must be received first. This 
implies that, in a TCP packet, the entire TCP header must be contained in the first fragment. For 
subsequent fragments, access lists carry out context-based control. 


For flexibility, it is possible to disable this feature, which allows IP fragments to be forwarded regardless of 
the arrival sequence. 


OneOS can hold disordered fragments in a list until the first fragment arrives. Once the first fragment 
treated, the rest of the fragments list is popped. This feature is activated only when NAT or ACL is 
configured on an interface and has no effects on non-fragmented packets. 


4.12.1.10 Logging and Statistics 


Access lists provide log information for matching packets, either denied or permitted. Information can be 
displayed either on the console, or logged to a file. Upon the first match of a filter, a log message will be 
issued. Then upon succeeding matches, a summary log message is periodically issued. The level of 
logging detail can be configured. 


When context based access-control is enabled, the audit mode logs information for each session. 
4.12.1.11 Interface Attachment 


An access list can be attached to an interface in either inbound or outbound directions. Packets are 
permitted without control if an access-list is not attached to the interface in the direction of packet flows. 
Otherwise, the permission or denial of a packet is controlled by the attached access list or the reflexive 
access list in the other direction. 


An ICMP error packet undergoes different processing from other packet types. If the attached access list 
explicitly forbids ICMP error packets to pass, then it is dropped. Otherwise, the embedded packet in the 
ICMP error packet is extracted and some further checking is performed. The ICMP error packet is 
permitted only if the embedded packet was already seen in the other direction. 


A local access list can be attached to an interface in either inbound or outbound directions. A global local 
access list can also be configured to match all the local traffic when there is no matching interface 
configured. 
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4.12.2 Configuration Commands 


An access list is a sequential list of filters. A new filter is always added at the end of the list. Configuration 
order in an access list is significant. A packet is matched against each filter from the beginning to the end 
of the list. Upon the first matching filter, the specified action of that filter is applied and access control 
processing stops. When a packet does not match any filter contained in an access list, the deny action is 
applied by default. 


To setup access lists, there are two steps: 
e Create access lists. An access list is identified by a unique name or number. 


e Apply the access lists to an interface. 
4.12.2.1_ ACL Rule Sequencing 


ACL usually contain a set of permit and deny rules. When a packet is processed by the ACL, it is matched 
against the ACL rules from the first one until the packet matches a rule. The order in which rules are 
entered is therefore very important. It might be then useful to insert rules at a specific place in ACL rule list. 


By default, rules have an implicit sequence number: the first rule gets the sequence number 1, the 2" rule 
gets 2, the 3 rule gets 3, ... 

If you configure a permit/deny rule without providing a sequence number, the rule is inserted at the end of 
the list. If you configure a rule with “i” as sequence number, the rule is inserted after the rule (i-1). If 
there is already a rule at the i-th position, the i-th rule sequence number and the sequence numbers of 
the subsequent rules are offset by 1. 


4.12.2.2 Standard Access Lists 


To create a standard access list, use the following command in global configuration mode: 


CLI (configure)> ip access-list standard <acl-name> 


To add a filter to the access list, use the following commands: 


CLI (ip-acl-std)> deny any [log] 

CLI (ip-acl-std)> permit any [log] 

CLI (ip-acl-std)> deny <source-address> [<wildcard>] [log] [sequence <1- 
100000>] 

CLI (ip-acl-std)> permit <source-address> [<wildcard>] [log] [sequence <1- 
100000>] 


The optional log keyword enables log information when a packet matches the filter. To delete a filter from 
an access list, use the "no" form of that command: 


CLI (ip-acl-std)> no deny any [log] 

CLI (ip-acl-std)> no permit any [log] 

CLI (ip-acl-std)> no deny <source-address> [<wildcard>] [log] 
CLI (ip-acl-std)> no permit <source-address> [<wildcard>] [log] 


Comments can be added to the access list, by using the following command: 


CLI (ip-acl-std)> remark <description-text> 
CLI (ip-acl-std)> exit 


The comment can be deleted within an access list by using the following command: 





CLI (ip-acl-std)> no remark 


To delete the standard access-list, use the following command in global configuration mode: 


CLI (configure)> no ip access-list standard <acl-—name> 
4.12.2.3. Extended Access Lists 


To create an extended access-list, use the following command in global configuration mode: 


CLI (configure)> ip access-list extended <acl-name> 
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To add a filter for TCP/UDP packets in the access-list, use the commands: 


CLI (ip-acl-ext)> permit {tcp|udp} <source-address> <source-wildcard> 
[<source-portl> [<source-port2>]] <dest-address> <dest-wildcard> [dest- 
portl [<dest-port2>]] [ dscp <0-63>] [precedence <0-7>] [ log ] [ 
fragments ] [sequence <1-100000>] 


CLI (ip-acl-ext) > deny {tcp|udp} <source-address> <source-wildcard> 
[<source-portl> [<source-port2>]] <dest-address> <dest-wildcard> [<dest-— 
portl> [<dest-port2>]] [ dscp <0-63>] [precedence <0-7>] [ log ] 
[sequence <1-100000>] 


The fragments keyword is obsolete by a more advanced mechanism. Please refer to 4.12.2.6. The 
fragments keyword, if present, disables the control on fragmented packets. Any fragmented packet 
matching the IP protocol type, the source and destination addresses, and DSCP value will be selected by 
the filter. 


To add a filter for ICMP packets in the access-list, use the commands: 


CLI (ip-acl-ext)> permit icmp <source-address> <source-wildcard> <dest-— 
address> <dest-wildcard> [icmp-type <0-255> [icmp-code <0-255>]] [dscp 
<0-63>] [precedence <0-7>] [log] [fragments] [sequence <1-100000>] 


CLI (ip-acl-ext)> deny icmp <source-address> <source-wildcard> <dest-— 
address> <dest-wildcard> [icmp-type <0-255> [icmp-code <0-255>]] [dscp 
<0-63>] [precedence <0-7>] [log] [sequence <1-100000>] 


To add a filter for any other protocol packets in the access-list, use the commands: 


CLI(ip-acl-ext)> permit ip  [<protocol-id>] <source-address> <source- 
wildcard> <dest-address> <dest-wildcard> [dscp <0-63>] [precedence <0-7>] 
[log] [fragments] [sequence <1-100000>] 


CLI (ip-acl-ext) > deny ip [<protocol-id>] <source-address> <source- 
wildcard> <dest-address> <dest-wildcard> [dscp <0-63>] [precedence <0-7>] 
[log] [sequence <1-100000>] 





Comments can be added to the access-list by using the following command: 


CLI (ip-acl-ext)> remark <description-text> 
CLI (ip-acl-ext)> exit 





To delete a filter from the extended access-list, use the ‘no' form of the above-referenced commands. 
To delete the extended access-list, use the following command in global configuration mode. 


CLI (configure)> no ip access-list extended <acl-name> 
4.12.2.4 Reflexive Access Lists 


To create an extended access-list with reflexive filters, add the keyword ‘reflexive’ at the end of a filter 
command. 


For example: 


CLI (configure)> ip access-list extended <acl-—name> 


CLI(ip-acl-ext)> permit {tcp|ludp} <source-address> <source-wildcard> 
[<source-portl> [<source-port2>]] <dest-address> <dest-wildcard> [<dest- 
portl> [<dest-port2>]] [dscp <0-63>] [precedence <0-7>] [log] [fragments] 
reflexive [sequence <1-100000>] 


CLI (ip-acl-ext)> permit icmp <source-address> <source-wildcard> <dest-— 
address> <dest-wildcard> [icmp-type <0-255> [icmp-code <0-255>]] [dscp 
<0-63>] [precedence <0-7>] [log] [fragments] reflexive [sequence <1- 
100000>] 


CLI(ip-acl-ext)> permit ip  [<protocol-id>] <source-address> <source- 
wildcard> <dest-address> <dest-wildcard> [dscp <0-63>] [precedence <0-7>] 
[log] [fragments] reflexive [sequence <1-100000>] 
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CLI (ip-acl-ext)> exit 
4.12.2.5 Reverse Path Forwarding 


To check the reverse path for the source address of received IP packets, use the following command in 
interface configuration mode: 


CLI (config-if)> ip verify reverse-path 


By default, the reverse path is not checked. 


Do not enable this feature on the interface that has been configured with a default route. 


To disable reverse path checking, use the command: 


CLI (config-if)> no ip verify reverse-path 
4.12.2.6 IP Fragmentation 


ACL and NAT always need at the beginning the first fragment of a packet to perform correctly their 
treatments. The feature permit to hold disordered fragments in a list until the first fragment arrives. Once 
the first fragment treated, the rest of the fragments list is popped. This feature is activated only when NAT 
or ACL is configured on an interface and has no effects on non-fragmented packets. 


The IP fragmentation can be tuned by setting the maximum number of packets and fragments as well as a 
timeout to flush the list: 


CLI (configure)> ip fragment packet-list <1-255> 
CLI (configure)> ip fragment frag-list <1-255> 

CLI (configure)> ip fragment timeout <1-10 seconds> 
CLI (config-if)> ip fragment default 


The default values are: 
e 10 fragmented packets authorized in queue (packet-list) 
e 10 fragments per packets authorized before first packet arrives (frag-list) 
e 3seconds fragments can wait the first fragment before being dropped (timeout) 
Fragmentation statistics are shown in'show ip statistics’. 
4.12.2.7 Attaching Access Lists to an Interface 
To attach an access list to an interface in either direction, use the following command in interface 
configuration mode: 
CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip access-group <acl-name> {in]|out} 
Only a single access-list can be attached to an interface and to a direction. The access-list should be 
created before attaching it to the interface. 
To detach the access-list from the interface, use the following command: 


CLI (config-if)> no ip access-group {in|out} 
4.12.2.8 Attaching Local Access Lists to an interface 


To attach a local access list to an interface in either direction, use the following command in global 
configuration mode: 


CLI (configure)> ip local access-list <acl-name> {inJout} [<interface>] 


Only a single local access-list can be attached to an interface and to a direction. The local access-list 
should be created before attaching it to the interface. 


The interface parameter is optional. If not configured, the local access list will be global and applied to 
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all the interfaces. 
To detach the local access-list from the interface, use the following command: 
CLI (configure)> no ip local access-list {inJout} [<interface>] 


The interface parameter is optional. If not configured, the global local access list will be detached from 
all the interfaces. 


4.12.2.9 Re-sequencing Access-lists 


Sequencing permits to assign numbers to filters within an access-list. Each filter owns a sequence number; 
filters in an access-list are then ordered by ascending sequence number. ACL re-sequencing enables to 
change in which order rules should be applied to an incoming packet. 


It also permits to insert a filter in a non-sequenced access-list. As there is no sense to insert sequenced 
filter in a non-sequenced access-list, this feature is however kept to facilitate insertions. Sequencing 
number is used to insert filter in the position defined by the number of filters in the access-list. Sequencing 
number is automatically lost. 


To sequence or re-sequence an access-list with a defined interval between each filter of the access-list, 
use the following command in configuration mode: 


CLI (configure)> ip access-list resequence <acl-name> [<1-100000>] 
By default, if no sequencing number is chosen, then each filter is separated by an interval of 1. Use the 
following command to set to default sequencing: 


CLI (configure)> ip access-list resequence <acl-—name> 


To reset sequencing on an access-list, use the no form of the above command: 


CLI (configure)> no ip access-list resequence <acl-name> 
4.12.2.10 Changing the Logging Interval 


The logging interval for 'permit' filters is the minimum amount of time between two events from the same 
session, whereas the logging interval for ‘deny’ filters is the minimum amount of time between two events 
from the same filter. 


CLI (configure)> ip access-list logging <seconds> 


The default interval for logging is 5 minutes. To return to the default value, use the following command: 


CLI (configure)> default ip access-list logging 
4.12.2.11 Changing the Maximum Number of Sessions 


By default, up to 5,000 session contexts can be managed in memory. A session context contains 
information about the session state and characteristics. If you need to manage more sessions, use the 
following command: 


CLI (configure)> ip inspect max-sessions <number> 
4.12.2.12 Changing the Idle-Timers 
To configure timers to shutdown the existing idle sessions, use the following commands in global 


configuration mode. 


The default timeout value for FTP sessions is 30 seconds. Use the following commands to set the timeout 
value for FTP sessions or to return to the default value: 


CLI (configure)> ip inspect ftp <seconds> 

CLI (configure)> default ip inspect ftp 
The default timeout value for ICMP is 30 seconds. Use the following commands to set the timeout for 
ICMP or to return to the default value: 


CLI (configure)> ip inspect icmp <seconds> 
CLI (configure)> default ip inspect icmp 
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The default timeout value for UDP sessions is 180 seconds. Use the following commands to set the 
timeout value for UDP sessions or to return to the default value: 


CLI (configure)> ip inspect udp <seconds> 
CLI (configure)> default ip inspect udp 


The default timeout value for TCP sessions is 1800 seconds. Use the following commands to set the 
timeout value for TCP sessions or to return to the default value: 


CLI (configure)> ip inspect tcp idle-time <seconds> 
CLI (configure)> default ip inspect tcp idle-time 


In some cases, it is desirable to reduce idle-timers for a specified protocol. Indeed, some applications 
(such as some peer-to-peer applications for file sharing) create a lot of connections with remote 
computers, thereby consuming many resources on the router (because a memory context is required for 
each session and this memory space is limited). Reducing idle-timers only for these applications will 
reduce the session number kept in router memory by eliminating earlier inactive sessions. (Note that the 
same issue exists with NAT, changing timers for NAT is also recommended in this case). To change the 
idle-timer for a specified protocol, the command is the following (beginning in global configuration 
terminal): 


CLI (configure)> ip inspect port-timeout { tcp | udp } { <protocol-name> | 


<port> } <seconds> 


You can provide the TCP or UDP port or the name of the protocol in clear text. The list of supported 
keywords is provided under'show {tcp|udp} port-—map’. To restore the default idle timer, use the next 
command: 


CLI (configure)> no ip inspect port-timeout { tcp | udp } { <protocol- 
name> | <port> } 


4.12.2.13 Stateful Inspection 


By default, stateful inspection is not enabled. Stateful inspection means that the TCP flags are checked to 
validate TCP protocol transaction validity. To activate this inspection, use: 


CLI(configure)> [no] ip inspect stateful 


If you wish to audit sessions, use the following command and you will be able to view logs by sessions 
(instead of by ACL) when using the 'show ip inspect sessions’ command: 


CLI (configure)> [no] ip inspect audit 


The default value for TCP SYN-wait timeout is 30 seconds. Use the following commands to set the TCP 
SYN-wait timeout or to return to the default value: 


CLI (configure)> ip inspect tcp synwait-time <seconds> 

CLI (configure)> default ip inspect tcp synwait-—time 
The default value for TCP FIN/RST timeout is 120 seconds. Use the following commands to set the TCP 
FIN/RST timeout or to return to the default value: 


CLI (configure)> ip inspect tcp finrst-time <seconds> 
CLI (configure)> default ip inspect tcp finrst-time 





The default timeout value for any other protocol sessions is 3600 seconds. Use the following commands to 
set the timeout for any other protocol sessions or to return to the default value: 


CLI (configure)> ip inspect other <seconds> 
CLI (configure)> default ip inspect other 





By default, the maximum number of sessions supported by access-lists is 5000. However, for scaling 
needs, this number is configurable thanks to the following command line: 


CLI (configure)> ip inspect max-sessions <100-100000> 


To restore the default configuration, use the following configuration command line: 


CLI (configure)> default ip inspect max-sessions 
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By default, the maximum number of half-open sessions supported by access-lists is 1000. However, for 
scaling needs, this number is configurable thanks to the following command line: 


CLI (configure)> ip inspect half-open <10-10000> 


To restore the default configuration, use the following configuration command line: 
CLI (configure)> default ip inspect half-open 
Generally, alarms are sent before the configured maximum number of sessions. It is possible to configure 
a percentage to trigger alarm at this threshold. Use the following configuration in command line: 
CLI (configure)> ip inspect max-session threshold <1-100> 
In the same way, use the following command line to trigger alarm when reaching the maximum number of 
half-sessions: 
CLI (configure)> ip inspect half-open threshold <1-100> 
By default, threshold for both max-session and half-session is fixed to 90%. To restore the default 
configuration, use the following command line: 
CLI (configure)> default ip inspect half-open threshold 
CLI (configure)> default ip inspect max-session threshold 
Alarms are sent according to the following procedure: 
e While one of the above thresholds is reached, alarms are periodically sent every 16 seconds. 
e When the threshold is no more reached, then alarm disappears. 


In order to be informed of a limit reached in an operational context, proprietary MIB traps are enabled 
through the following command line: 


CLI (configure)> snmp acl traps 


To restore the default configuration, use the no form of the above commana: 


CLI (configure)> no snmp acl traps 
4.12.2.14 Per-Host Inspection 


To activate per-host inspection, ensure first that an access-list is attached to an interface. Then, use the 
following command in configuration mode: 


CLI (configure)> ip inspect per—-host 


To disable per-host inspection, use the no form of the above command: 


CLI (configure)> no ip inspect per—-host 


To configure the maximum number of sessions allowed for one host, use the following command line: 
CLI (configure)> ip inspect per-host max-sessions [<5-10000>] 
Default maximum number of sessions per host is 50. To restore the default value, use the following 
configuration command line: 
CLI (configure)> ip inspect per-host max-sessions 
Used in conjunction with stateful inspection, it is possible to monitor the number of half-session per-host. 


To configure the maximum authorized number of half-sessions per host, use the following configuration 
command line: 


CLI (configure)> ip inspect per-host half-open [<5-100000>] 


Default maximum number of half-sessions per host is 20. To restore the default half-session number per 
host, use the following configuration command line: 


CLI (configure)> default ip inspect per-host half-open 
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4.12.2.15 Per-Host Address Inspection 


4.12. 


The per-host limit is a global limit applicable to all hosts. However, such threshold may fit well for LAN 
workstations, while being not adapted to large servers and proxies creating a large number of legal 
sessions. It is possible to specify a list of IP addresses and declare for each address the desired maximum 
authorized session or half-session. 


To configure the maximum authorized sessions for one specific IP address, use the following command 
line in configuration line: 


CLI (configure)> ip inspect per-host address <A.B.C.D> max-sessions <5- 
10000> 
To configure the maximum authorized half-sessions for one specific IP address, use the following 
command line in configuration line: 
CLI (configure)> ip inspect per-host address <A.B.C.D> half-session <5- 
5000> 
To disable per-host address configuration, use the no form of the above command: 


CLI (configure)> no ip inspect per-host address [<A.B.C.D>] 
3 Configuration Example 


In this example, the private network is using the address space 10.1.2.0/24. On the private network there 
are some servers, such as HTTP and FTP servers, which should be accessible from the outside network. 
The connection to the Internet is through a DSL interface (atm 0.1). Note that 10.1.2.0/24 is intentionally 
used, which is a private network address. The user must replace the address with public IP address on the 
interface atm 0.1. 





The objectives of the configuration to be set are: 
e __ To allow inside hosts to connect to any outside hosts. 


e To allow outside hosts to connect only to the inside server(s). Other inbound connections must be 
blocked. 


HTTP server 


nm eka ie | 




































remote host 























Private 
Network 
10.1.2.0 


The access control can be configured using the following commands (assuming other interface parameters 
are properly configured): 


event filter add ip ACL ALL SHOW 
configure terminal 

interface Ethernet 0 

ip address 10.1.2.1 255.255.255.0 
ip verify reverse-path 

exit 


ip access-list extended in_acl 

permit tcp 0.0.0.0 255.255.255.255 10.1.2.11 0.0. 
permit tcp 0.0.0.0 255.255.255.255 10.1.2.11 0.0. 
permit tcp 0.0.0.0 255.255.255.255 10.1.2.11 0.0.0. 
remark permit inbound sessions to inside servers 
exit 


0.0 80 
0.0 20 
0 21 


ip access-list extended out_acl 
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permit ip 10.1.2.0 0.0.0.255 0.0.0.0 255.255.255.255 log reflexive 
remark permit all outbound sessions 
exit 


interface atm 0.1 

! ### PVC configuration missing here 
ip access-group out_acl out 

ip access-group in_acl in 

exit 


4.12.4 Statistics 


Use the following command to display the statistics of the existing access-lists: 


CLI> show ip access-lists [<acl_name>] 

CLI> show ip access-lists 

Interface Atm0O.1, inbound IP access list in_acl, outbound IP access list 
out_acl 


IP access list out_acl 
permit any log reflexive (194 matches) 


IP access list in_acl 
permit any host 10.1.2.11 log (53 matches) 


Use the following command to display ACL global configuration parameters: 


CLI> show ip inspect config 

tcp synwait-time is 30 sec, tcp finwait-time is 120 sec 
tcp idle-time is 86400 sec, udp idle-time is 3600 sec 
icmp idle-time is 30 sec, other idle-time is 3600 sec 
log hold time: 300 sec 





Use the following command to display ACL global statistics: 


CLI> show ip inspect statistics 
Active/closed sessions 303/0 

memory allocation failures 0 
inbound/outbound packets dropped 0/0 
inbound/outbound packets permitted 303/303 


Use the following command to display ACL sessions: 


CLI> show ip inspect session <type> <unit> 

CLI> show ip inspect session Atm 0.1 

Interface Atm, inbound IP access list in_acl outbound IP access list 
out_acl 

protocol in-address:port out-address:port in/out timeout 


TCP 52.0.0.4:1031->52.0.0.3:telnet 34/44 96 

ICMP 52.0.0.4:26952->52.0.0.3:echo 5/5 30 

TCP 10.1.2.11:telnet<-52.0.0.3:24290 52/0 20744 
TCP 52.0.0.4:1030->192.178.10.43:telnet 50/56 60 





To delete all sessions from a specified interface, use the following command in global mode: 


CLI> clear ip inspect session <type> <unit> 


For example: 


CLI> clear ip inspect session atm 0.1 


To clear access list counters, use the following command in global mode: 


CLI> clear ip access-list <acl-name> 


To clear access list statistics, use the following command in global mode: 


CLI> clear ip inspect statistics 
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For logging ACL messages into a file, use the following command in global mode, in combination with the 
log keyword for the configured filters: 


CLI> event filter add ip ACL ALL LOG 


To cancel logging into a file, use the following command in global mode: 


CLI> event filter remove 1 


Use the following show command to display the list of current sessions per host. 


CLI> show ip inspect per-host 


address sessions/failed half-sessions/failed 
ZO. 5 28 1/0 0/0 

192.168.2.133 1/0 0/0 

192.168.2.250 1/0 0/0 

192.168.2.8 1/0 0/0 

1:92:5.1°6 83-27-61 1/0 1/0 


To reset the statistics per-host, disable the per-host inspection command and re-enable it. 
Use the following command to display ACL global configuration parameters: 


CLI> show ip inspect config 

tcp synwait-time is 30 sec, tcp finwait-time is 56 sec 
tcp idle-time is 1800 sec, udp idle-time is 180 sec 
icmp idle-time is 30 sec, other idle-time is 300 sec 
log hold time: 10 sec 

max half-opened sessions 1000 

max opened sessions 5000 

per-host maximum half-opened sessions 20 

per-host maximum opened sessions 50 

Active/closed sessions 303/0 

memory allocation failures 0 

inbound/outbound packets dropped 0/0 





Use the following command to display ACL global statistics: 


CLI> show ip inspect statistics 
Active/closed/failed sessions 11/1809/495 
Half-opened/closed/failed sessions 0/273/0 
inbound/outbound tcp errors 0/0 

memory allocation failures 0 

inbound/outbound packets dropped 44/0 
inbound/outbound packets permitted 97730/1439 








Use the following command to display ACL per-host configuration: 


CLI> show ip inspect config per-host 
4.12.5 Debug and Trace 


To enable debugging of IP access-lists, use the following command in global mode: 


CLI> debug ip access-list 


To disable debugging of IP access-lists, use the 'no' form of the above-referenced command. 
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4.13 IP ACCOUNTING 


4.13.1 Features 
4.13.1.1 Per flow Accounting 


Accounting permits a user to record easily flows transiting through an interface. Traffic is sorted out by 
source and destination addresses in each direction. User can select to account traffic on both directions of 
an interface or only outgoing traffic. 


4.13.1.2 Accounting list Selection 
Accounting can be restricted to a pool of specific addresses, thus selecting only interesting traffic. 
4.13.1.3 Accounting Violations 


Used in conjunction with an access-list attached to the same interface, the IP accounting function counts 
flows denied by the access-list. Accounting violations are automatically available once accounting is 
enabled and packets are dropped by the access-list attached to the interface. 


4.13.1.4 Per Precedence Accounting 


Instead of sorting out packets by their IP addresses, the accounting function can record packets per 
precedence value. This feature can help in troubleshooting IP QoS configuration. 


4.13.1.5 Accounting Threshold 


To avoid memory starvation, an accounting threshold that sets the maximum number of accounted flows is 
configurable. 


4.13.2 Configuration 
4.13.2.1_ Per Flow Accounting 


To apply accounting to an interface, use the following command in interface configuration mode: 


CLI (config-if)> ip accounting 


To apply accounting only to output packets, use the following command in interface configuration mode: 


CLI (config-if)> ip accounting output-packets 


To restore the configuration mode and disable ip accounting, use the no form of the above commana: 








CLI (config-if)> no ip accounting 
4.13.2.2_ Per Flow Accounting 


To restrict accounting to a pool of addresses, first configure an access-list and use the following command 
in configuration mode: 


CLI (configure)> ip accounting-list <acl-name> 


To restore the default behavior and account packets independently from their source and/or destination 
address, use the following command in interface configuration mode: 


CLI (config-if)> no ip accounting-list 
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4.13.2.3. Accounting Threshold 


To configure accounting threshold (i.e. the maximum of recorder flows), use the following command in 
configuration mode: 


CLI (configure)> ip accounting-threshold <100-10000> 
To restore the default threshold (2000 sessions) use the no form of the above command in configuration 
mode: 


CLI (config-if)> no ip accounting-threshold 
4.13.3 Statistics 


Use the following show command to display the list of accounting flows. 


CLI> show ip accounting fastethernet 0/0 
Source Destination Packets Bytes 
20.1.1.44 192.168.2.11 336 174222 


Use the following show command to display accounting result by precedence. 


CLI> show ip accounting precedence 


Use the following show command to display the list of accounting flows. 





CLI> show ip accounting access-violations 
Source Destination Packets Bytes ACL 
20.1.1.44 192.168.2.66 336 174222 102 


To reset all accounted flow, use the following clear command in global mode. This command clears 
counters, and associated flows: 
CLI> clear ip accounting 
4.13.4 Debug 


A debug command permits having real-time information on accounted flows: 


CLI> debug ip accounting 
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4.14 NETWORK ADDRESS TRANSLATOR (NAT) 


This section describes the main features of the Network Address Translator and its configuration. 
4.14.1 Features 

The following terms are used throughout this section: 
4.14.1.1 Inside Local Address 


This address is the private address, also the real address of an inside host. IETF reserved 10.0.0.0/8, 
172.16.0.0/12 and 192.168.0.0/16 as private address space. However for historical reasons, the address 
space of a private network may not fall in the ranges noted above. 


4.14.1.2_ Inside Global Address 

This address is the globally routable address that is temporarily or permanently assigned to an inside host. 
4.14.1.3, Outside Global Address 

This address is the real address of an outside host, which is globally routable. 
4.14.1.4 Outside Local Address 


This address is the local address assigned to an outside host in case of address conflict (or overlapping). 
Outside local addresses are only routable in the private domain. 


4.14.1.5 Dynamic Address Translation (Dynamic NAT) 


NAT translates the IP source address of outbound traffic from an inside local address to an inside global 
address, and vice-versa for inbound traffic. The inside global address is picked from the inside global 
address pool (which is configured by the user) when the inside host initiates a session to an outside host. 
When the session is finished, the inside global address is freed and returned to the inside global 
addresses pool. Dynamic NAT is generally unidirectional. However, once dynamic 1-to-1 mapping is 
established at the NAT device, sessions initiated from an outside host to the inside host can be accepted 
according to a configurable parameter, (for example, under the condition that a session between them 
already exists) as it is generally initiated by the inside host. 


4.14.1.6 Static Address Translation (Static NAT) 


Static NAT translates the IP source address of outbound traffic from an inside local address to the same 
inside global address and vice-versa for inbound traffic whenever static mapping exists in a user 
configured address mapping table. The mapped inside global address will be automatically excluded from 
the inside global address pool if it is contained in the latter. Static NAT is implicitly bi-directional, meaning 
that sessions can be initiated from inside hosts as well as outside hosts. 


4.14.1.7 Dynamic Address/Port Translation (Dynamic NAPT) 


Dynamic NAPT translates the IP source address and port of outbound traffic from an inside local address 
and port pair to an inside global address and port pair, and vice-versa for inbound traffic. One inside global 
address is generally sufficient for all dynamic address/port translations. Dynamic NAPT, also known as 
address overloading, is always unidirectional (sessions can only be initiated from inside hosts). Dynamic 
NAPT is only applicable to TCP/UDP and ICMP traffic. 
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If both NAT and NAPT are configured, an automatic switch between NAT and NAPT is provided. When 
more than one address are available from the inside global address pool, only address translation (NAT) is 
applied. This is desirable since address translation is less restrictive, faster, and makes it less difficult to 
trace end hosts. However, as the number of global addresses is generally less than the number of inside 
hosts, it is very likely that the global address pool will be exhausted. In that case, it is desirable to continue 
allowing inside hosts to communicate with the outside world. If NAPT is enabled, the last global address 
available is reserved for NAPT. It will become effective only when global addresses are exhausted. At a 
later time, if global addresses become available again, the implementation will switch automatically to 
NAT. 


4.14.1.8 Static Address/Port Translation (Static NAPT) 


Static NAPT translates the IP source address and port of the outbound traffic from an inside local address 
and port pair to the same inside global address and port pair. The reverse applies to inbound traffic 
whenever static mapping exists in a user-configured address/port mapping table. Static NAPT is implicitly 
bi-directional, meaning sessions can be initiated from inside hosts as well as outside hosts. Static NAPT is 
only applicable to TCP/UDP traffic. If static address/port mapping uses the same inside global address as 
used in a static address mapping, the static address/port mapping will be applied with higher priority. 


Similar to static NAT, static NAPT is often used for servers on the private network, which should be 
accessible from the outside world. 


4.14.1.9 Static NAPT Translation on a Port Range 


A single command enables the translation of a range of inside local ports into a new range of inside global 
ports. As it is based on static mapping, the translation applies also to inbound traffic. As a consequence, 
NAT port range is bidirectional, meaning that sessions can be initiated from inside hosts as well as outside 
hosts. 


NAT port range is only applicable to TCP/UDP traffic. If NAT port range uses the same inside global 
address as used in a static address mapping, the static address/port mapping will be applied with higher 
priority. 


Similar to static NAT, NAT port range is often used for servers on the private network, which should be 
accessible from the outside world. 


4.14.1.10 Outside Address Translation 


This mechanism translates the IP destination address of outbound traffic from an outside local address to 
an outside global address and vice-versa for inbound traffic. This translation is necessary only if the 
outside global addresses overlap with the inside local address space. After all sessions between the 
outside host and the inside network are completed, the outside local address will be freed and returned to 
the outside local address pool. This mechanism generally works together with DNS ALG. 


4.14.1.11 TCP/UDP Load Balancing 


Inbound TCP/UDP sessions destined to an inside global address and port can be dispatched to a number 
of inside hosts (servers). The maximum number of inside servers is limited to 8. In order to ensure that the 
traffic from a given outside host is always handled by the same inside server, the selection of the inside 
server is based on the outside host address. This is necessary for some applications. 


4.14.1.12 DNS Interaction 


Upon outgoing DNS queries for domain name to address resolution, the device intercepts DNS reply 
packets, to check whether the outside global address overlaps with the inside local address space. If the 
device finds an overlap, the outside global address is translated to an outside local address by creating a 
dynamic mapping. 


Upon outgoing DNS queries for address to domain name resolution, the device intercepts DNS request 
packets to check whether any outside local address is present. When an outside local address is detected, 
the device translates the outside local address to an outside global address, when corresponding dynamic 
mapping exists (there is no translation when the mapping does not exist). 


Upon incoming DNS queries for domain name to address resolution, the device intercepts DNS reply 
packets to check whether any inside local address is present. When this is the case, the device translates 
the inside local address to an inside global address, by using either a static mapping or creating a dynamic 
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mapping. 


Upon incoming DNS queries for address to domain name resolution, the device intercepts DNS request 
packets, checking whether the inside global address is mapped to an inside local address. When this is the 
case, the device translates the inside global address to an inside global address by using either existing 
static or dynamic mapping. 


4.14.1.13 Application Level Gateway (ALG) 


When an address and/or port are translated, the application data (payload) must be translated for 
protocols that contain an IP address and/or transport port in their messages. This is known as an 
Application-Level Gateway (ALG). At present, the following ALGs are supported: DNS, FTP, ICMP, NBT 
(NetBIOS over TCP/IP), ntalk (UNIX talk command), H.323, and SIP (Note: SIP ALG is not activated by 
default). For other protocols, TELNET, HTTP, TFTP, SMTP, and NFS (which do not contain an IP address 
and transport port in the application payload), no particular ALG is required. 


4.14.1.14 Session Limitation and Denial-of-Service Protection 


Only dynamic NAT is concerned by this paragraph. 


The maximum number of permitted NAT sessions can be configured. When this limit is reached no more 
sessions can be created. When the default threshold of 90% of total sessions is reached an alarm is sent 
periodically. When the maximum number of sessions is reached an alarm is also sent periodically. 


Such limitation avoids complete memory exhaustion when some hackers try to create many fake sessions 
in the router. However, this limit has the drawback that it can block the router for a transient phase until 
some session contexts are freed (after some timeouts have elapseda). 


In order to mitigate such issue, the maximum number of per-host NAT sessions can be configured. When 
this limit is reached no more sessions can be created by this host. When the maximum number of sessions 
is reached for a specific host an alarm is sent periodically. The limit will block an attack originated by a 
given host while letting other hosts creating NAT sessions. The router is then no more blocked in case of 
such attack. 


The default limit per host may not be suitable for all hosts. For example, a web server may be entitled to 
create many sessions while normal LAN workstations should only consume few NAT sessions. The 
maximum number of permitted NAT sessions can be configured for a specific host. 


4.14.1.15 IPsec and NAT 


If you activate NAT overload on the WAN interface and an IPsec flow should go through to the router, two 
cases must be considered: 


e IPsec client on the LAN (private IP), IPsec gateway reached via a public IP address: nothing to 
configure, it functions de-facto. 


e IPsec client reached via a public IP, |Psec gateway on the LAN (private IP): the client cannot reach 
directly the gateway. IPsec must be NATed. In order to let IPsec go through NAT, you must configure 
static UDP translation for the port 500 (IKE) and 5000 (IPsec tunnel encapsulated in UDP because of 
NAT traversal). 


In both cases, the client and the gateway must support NAT-traversal (RFC3947). See the IP Security 
section for more details. 


Think to use the bypass list to avoid the traffic inside the IPsec tunnel being dropped by NAT. See the 
Bypass Inside Addresses section for more details. 


4.14.1.16 Reflexive Access Lists and NAT 


If you activate NAT overload on the WAN interface and a reflexive access list is applied to this interface, it 
will not work. The temporary filter in the reverse direction is set up before NAT with the inside local 
address; the subsequent session message use, because of NAT, the inside global address and therefore 
cannot pass through the device. 


Depending on the cases, the solution can be to use static NAT for the LAN traffic or to use local access 
lists that apply only to the local traffic that is destined to or generated by the router. See the IP Access 
Lists section for more details. 
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4.14.1.17 EZVPN and NAT 


If you activate NAT overload on the WAN interface and an EZVPN is applied to this interface, think to use 
the bypass list to avoid the traffic inside the EZVPN being dropped by NAT. See the Bypass Inside 
Addresses section for more details. 


4.14.2 Configuration Commands 


Most NAT configuration parameters are interface-specific, (i.e., the user should configure the parameters 
at the public network interface). If required, the user can also apply NAT to multiple interfaces as in the 
case of a multi-homed network. 


4.14.2.1. Inside Address Translation Order 


The user can configure all or any combination of the translation modes described above at the same time. 
If multiple translation modes are configured, they are applied to the outgoing sessions in the following 
order: 


1. Static address/port translation 
Static address translation 
Dynamic address translation - if the packet matches the user list of an inside address pool 


Dynamic address/port translation - if the packet matches the user list of an inside address pool 
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Dynamic address/port translation using the interface address - if the packet matches the user 
list or if the user list is not specified. 


In the case where inside global address is the only interface address, only translation modes 5 and 1 can 
be applied. Any outgoing sessions not eligible for the above-referenced translation are rejected once NAT 
is configured on an interface. 


For inbound sessions, the translation modes are applied in the following order: 
1. Static address/port translation 
2. Static address translation 
3. Dynamic address translation - if the destination address is allocated to an inside host 


Any inbound sessions not eligible for the above-referenced translation are rejected once NAT is configured 
on an interface. 


4.14.2.2. Dynamic NAT/NAPT 


To configure dynamic inside address translation, an inside global address pool (inside pool) should be 
configured. To do so, an access list should be created first to identify the user of the pool, i.e., the packets 
matching that access list will be translated using this pool. The access list could be a standard or extended 
access list. For example, an access list including all inside hosts can be set as follows: 


CLI (configure)> ip access-list standard <acl-name> 
CLI (ip-acl-std)> permit any 
CLI (ip-acl-std)> exit 


To set an inside pool, use the following command: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip nat inside pool <name> <start-address> <end-address> 
user-list <acl-name> [overload] 





The addresses contained in the range of starting and ending addresses are added to the named pool. To 
protect against possible configuration errors, the maximum number of addresses, which can be put into a 
pool is limited to 65535. If the outgoing interface address and any statically mapped addresses are 
contained in the given global address space, they are automatically excluded from the inside pool. The 
name of access list to use must be entered after the keyword user-list. The keyword overload, if present, 
enables address overloading (NAPT) for this pool. 


To remove the inside pool, use the command: 


CLI (config-if)> no ip nat inside pool <name> 
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If the pool is in use, this command will fail. In this case, the user should first clear the NAT session table by 
using the commana: 


CLI> clear ip nat sessions 
It is preferable to shutdown the NAT interface if traffic is present. Doing so will prevent erratic packets from 
being sent to the local terminals. Assuming that an inside pool is configured; the first time an inside host 
sends a packet to the public network, a global address will be taken from the pool and assigned to that 
host (if it belongs to the user list). The mapping between the inside local address and the inside global 
address is stored and maintained in a table. Whenever dynamic address mapping exists, it is possible for 


outside hosts to initiate sessions with the inside host (using the corresponding inside global address). To 
allow inbound sessions to dynamically assign global addresses, use the following command: 


CLI (config-if)> ip nat two-way [restricted] 
By default, inbound sessions to dynamically allocated global addresses are not allowed. If the keyword 
restricted is present in the above-referenced command, only the outside hosts already in contact with the 


corresponding inside host are allowed to initiate sessions. To deny any inbound sessions to a dynamically 
allocated inside global address, use the command: 


CLI (config-if)> no ip nat two-way 
4.14.2.3. Dynamic NAPT on the Interface Address 


To overload the interface address, apply address and port translation using the following command: 
CLI (configure)> interface <type> <unit> 


CLI (config-if)> ip nat inside overload [user-list <acl-name>] 


The user access list is optional. If the user access list is present, only the packets matching the access list 
are translated. Packets not matching the access list are dropped. If the user-list is not specified, all packets 
are translated using the interface address. 


To carry out interface address overloading, there is no need to specify the global address that will be used. 
It is taken from the interface at the time of translation. This allows NAT to work together with any dynamic 
address allocation protocol, such as BOOTP, DHCP or IPCP. 


To disable interface address overloading, use the command: 


CLI (config-if)> no ip nat inside overload 
4.14.2.4 Static NAT 


To carry out static address translation, use the following command to create static address mapping: 
CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip nat static <inside-local> {<inside-global> | self} 
The keyword self means the address of the interface. It is useful when the interface address is assigned 
dynamically, using IPCP for example. 
To remove an existing static address translation, use the command: 


CLI (config-if)> no ip nat static <inside-local> {<inside-global> | self} 
4.14.2.5 Static NAPT 


To carry out static NAPT, use the following command to create a static address/port mapping: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip nat static-napt {tcp | udp} <inside-local-address> 
<inside-port> <inside-global> {<inside-global> | self} <global-port> 


The keyword self means the address of the interface. It is useful when the interface address is assigned 
dynamically, using IPCP for example. 
To remove an existing static address/port translation, use the command: 


CLI (config-if)> no ip nat static-napt {tcp | udp} <inside-local-address> 
<inside-port> {<inside-global> | self} <global-port> 
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4.14.2.6 Static NAPT on a Port Range 


To carry out static NAPT, use the following command to create a static address/port mapping: 


CLI (configure)> interface <type> <unit> 

CLI (config-if)> ip nat static-napt port-range {tcp | udp} <inside-local- 
address> <inside-port-min> <inside-port-max> <inside-global> {<inside- 
global-address> | self} <global-port-min> <global-port-—max> 





The keyword self means the address of the interface. It is useful when the interface address is assigned 
dynamically, using IPCP for example. 


To remove an existing static address/port translation, use the command: 


CLI (config-if)> no ip nat static-napt port-range {tcp | udp} <inside- 
local-address> <inside-port-min> <inside-port-max> {<inside-global-port> 
| self} <global-port-min> <global-port-max> 


4.14.2.7 Static NAT on IP Protocol 


To carry out static NAT on the IP protocol, use the following command to create a static address/port 

mapping: 

CLI (configure)> interface <type> <unit> 

CLI(config-if)> [no] ip nat static-ip <protocol> <inside-local-address> { 
<inside-global-address> | self} 








protocol is the IP protocol or the protocol name (see ‘show ip protocol-map’). The keyword self means 
the address of the interface. It is useful when the interface address is assigned dynamically, using IPCP for 
example. Example to allow PPTP: 


CLI (config-if)> ip nat static-napt tcp 192.168.1.223 1723 20.1.1.1 1723 
CLI (config-if)> ip nat static-ip 47 192.168.1.223 20.1.1.1 


4.14.2.8 Overlapping Outside Address Translation 


If the address space of the private network does not fall into the ranges reserved by IETF (RFC 1918), it is 
possible that inside local address will overlap with outside global addresses. If this is the case, outside 
address translation is required. To do so, a standard access list should be configured to indicate the 
overlapping outside global addresses. For example, the following command can be used: 


CLI (configure)> ip access-list standard <acl-name> 
CLI (ip-acl-std)> permit <ip-address> <wildcard> 
CLI (ip-acl-std)> exit 
Then, the following command can be used to configure the outside local address pool (outside pool): 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip nat outside pool <name> <start-address> <end-address> 
user-list <acl-name> 


It is important to note that for inside hosts, a route entry should be added for routing the given outside local 
address/mask to the NAT device. If a default route through the NAT device already exists, a route entry is 
not needed. 


To remove the outside address pool, use the command: 

CLI (config-if)> no ip nat outside pool <name> 
If the pool is in use, this command will fail. In this case, the user should first clear the NAT session table by 
using the command: 


CLI> clear ip nat sessions 
4.14.2.9 Bypass Inside Addresses 


NAT provides some kind of access control. Simply speaking, inbound packets are dropped if they are not 
destined to statically map global addresses/ports. Outbound packets are dropped if they do not match any 
user list of the inside pools and if they do not have a static address and/or port mapping. To prevent NAT 
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from dropping such packets, the bypass list should be used. 
To indicate the inside addresses that should not be translated, use the following command: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip nat inside bypass-list <acl-name> 





Only one bypass list can be configured. However the bypass list can contain more than one filter. 


At the outgoing interface, a packet matching the bypass list is forwarded unchanged (and vice-versa for 
packets received from the outside network). Therefore, the bypass list applies to both directions. 


To remove the bypass list, use the command: 


CLI (config-if)> no ip nat inside bypass-list 


4.14.2.10 Load Balancing 


A pair of inside global address/port can be mapped to several inside local address/port pairs. By entering 
the following command with the same global address and port, the device can dispatch traffic to a set of 
local servers. 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip nat static-napt tcp <local-address> <local-port> 
<global-address> <global-port> 


The following example shows how the traffic routed to one virtual FTP server (20.1.1.10) is dispatched to 
two inside FTP servers: 


CLI (config-if)> ip nat static-napt tcp 10.1.1.10 21 20.1.1.10 21 
CLI (config-if)> ip nat static-napt tcp 10.1.1.11 21 20.1.1.10 21 


4.14.2.11 Changing the Timer Values 


A number of timers are used by NAT to control the end of sessions and address allocations. The user can 
change the default timer values if required. All timers are expressed in seconds. To set the DNS timer, use 
the following command in global configuration mode: 


CLI (configure)> ip nat translation dns-timeout <seconds> 
The default value is 90 seconds. This timer is used to hold address mappings created by DNS ALG. For 
example, an inside global address could be allocated to an inside host by DNS ALG when translating an 


outgoing DNS reply message. The inside global address will be freed if a data session has not been 
initiated with that address for this timeout period. 


To set the TCP session close wait timer, use the following command in global configuration mode: 
CLI (configure)> ip nat translation finrst-timeout <seconds> 
The default value is 120 seconds. When a TCP packet with FIN or RST bit set is received, the session will 


be removed from the session table only after the timer expires. This action is necessary for both sides to 
properly close the TCP session. 


To set the ICMP idle timer, use the following command in global configuration mode: 

CLI (configure)> ip nat translation icmp-timeout <seconds> 
The default value is 30 seconds. This timer is used to remove an ICMP session when it is idle for the 
specified period. 
To set the TCP idle timer, use the following command in global configuration mode: 

CLI (configure)> ip nat translation tcp-timeout <seconds> 
The default value is 1800 seconds. This timer is used to remove a TCP session when it is idle for the 
specified period. 


To set a TCP idle timer for a specific TCP port, use the following command in global configuration mode 
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CLI (configure)> ip nat translation port-timeout tcp <port nb> <seconds> 


To set the UDP idle timer, use the following command in global configuration mode: 





CLI (configure)> ip nat translation udp-timeout <seconds> 


The default value is 120 seconds. This timer is used to remove a UDP session when it is idle for the 
specified period. 


To set a UDP idle timer for a specific UDP port, use the following command in global configuration mode 


CLI (configure)> ip nat translation port-timeout udp <port nb> <seconds> 


To set the idle timer for all other protocols, use the following command in global configuration mode: 


CLI (configure)> ip nat translation others-timeout <seconds> 


The default value is 60 seconds. 


To return to the default values, use the ‘default' form of the above-referenced commands. 
4.14.2.12 Changing the Maximum Number of Sessions 


To set the maximum number of sessions, use the following command in global configuration mode: 
CLI (configure)> ip nat translation max-sessions <100-100000> 
The default value depends on the product (check the command ‘show ip nat timers’). If the number of 


current active sessions reaches the maximum number of sessions, new sessions will be rejected. This is 
often useful to limit the maximum amount of memory used by NAT. 


To return to the default value, use the command: 


CLI (configure)> default ip nat translation max-sessions 
4.14.2.13. Per-Host Sessions Limitation 


To activate per-host inspection (session limiting per host), use the following command in configuration 
mode (max-sessions must be provided in case another value than default —50- is used): 


CLI (configure)> ip nat per-host [max-sessions <5-100000>] 


To disable per-host inspection, use the no form of the above command: 


CLI (configure)> no ip nat per-host 


To restore the default number of maximum sessions, use the following configuration command line: 


CLI (configure)> default ip nat per-host max-sessions 
4.14.2.14  Per-Host Address Sessions Limitation 


The per-host limit is a global limit applicable to all hosts. However, such threshold may fit well for LAN 
workstations, while being not adapted to large servers and proxies creating a large number of legal 
sessions. It is possible to specify a list of IP addresses and declare for each address the desired maximum 
authorized sessions. Note that the next command is only active if 'ip nat per-host [max- 
sessions <nbr>]' was previously entered. 


To configure the maximum authorized sessions for one specific IP address, use the following command 
line in configuration line: 


CLI (configure)> ip nat per-host address <A.B.C.D> max-sessions <5-100000> 


To disable per-host address configuration, use the no form of the above command: 


CLI (configure)> no ip nat per-host address <A.B.C.D> 
4.14.2.15 Activating SIP ALG 


To activate SIP ALG, which is not activated by default, use the following command in configuration mode. 
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The default port (5060) is used when the port number is not provided. 


CLI (configure)> ip nat service sip udp [<port_number>] 


To deactivate SIP ALG, use the no form of the above command: 





CLI (configure)> no ip nat service sip udp 
4.14.2.16 Sending SNMP Traps for Outstanding Events 


Alarms are sent according to the following procedure: 
e When the maximum number of sessions is reached, an alarm is periodically sent every 16 seconds. 
e When the threshold is no more reached, then the alarm disappears. 


When 90% of all NAT session contexts are used, a trap can be sent (please load OneAccess NAT MIB on 
your SNMP management system). Another trap is sent, when the number of sessions becomes lower than 
this 90% threshold. To enable such trap, enter the following command in global configuration mode: 


CLI(configure)> [no] snmp traps nat 
4.14.3 Configuration Examples 


In the first example, the private network uses the private address space 192.168.2.0. In the private 
network, an HTTP server is running on the host 192.168.2.20, which should be accessible from the outside 
world. The only inside global address (52.0.0.4) is the interface address. As such, there is no inside 
address pool. NAT overload (NAPT) should be configured. NAT will take the interface address at the time 
the first packet is sent to the outside network. 


NAT can be configured using the following commands (assuming other interface parameters are properly 
configured): 



















HTTP server 
192.168.2.20 


52.0.0.4 








5 











Private Network 
192.168.2.0 


interface ethernet 0/0 
ip address 192.168.2.1 255.255.255.0 
exit 


interface atm 0.1 

ip nat inside overload 

ip nat static-napt tcp 192.168.2.20 80 52.0.0.4 80 
exit 


If you do a static translation on a port used by a router application (such as telnet server), the application 
will not be reachable any more: translation on TCP port 50 prevents the use of the embedded telnet 
server. 


In the second example, the network configuration is almost the same except that a number of inside global 
addresses (ranging from 213.1.2.10 to 213.1.2.20) are available. In this case, an inside global address is 
statically assigned to the HTTP server. The remaining addresses are put into the inside global address 
pool, called 'pi'. NAPT (overload) is enabled on the addresses from this pool. Outside hosts are allowed to 
initiate sessions with an inside global address if the corresponding inside local/global address mapping 
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exists. The following is the configuration script: 


ip access-list standard ul 
permit 192.168.2.0 0.0.0.255 
exit 


interface atm 0.1 

ip nat inside pool pi 213.1.2.10 213.1.2.19 user-list ul overload 
ip nat two-way 

ip nat static 192.168.2.20 213.1.2.20 

exit 


In the third example, the use of user lists in NAT commands is demonstrated. Here the inside global 
addresses are divided into two pools used by two different user groups. Extended access lists are created 
to identify each user group. The inside (Source) addresses in the range of 192.168.2.0 to 192.168.2.127, to 
the outside (destination) addresses in the range of 34.0.0.0 to 34.0.0.255, are of group 1 (u1) and will be 
translated using pool 1 (pil). The inside (source) addresses in the range of 192.168.2.127 to 
192.168.2.255 to the outside (destination) addresses in the range of 45.0.0.0 to 45.0.0.255, are of group 2 
(u2) and will be translated using pool 2 (pi2). The example above is configured using the following script. 


ip access-list extended ul 
permit ip 192.168.2.0 0.0.0.127 34.1.2.0 0.0.0.255 
exit 


ip access-list extended u2 
permit ip 192.168.2.128 0.0.0.127 45.4.3.0 0.0.0.255 
exit 


interface atm 0.1 

ip nat inside pool pil 213.1.2.10 213.1.2.15 user-list ul 
ip nat inside pool pi2 213.1.2.16 213.1.2.19 user-list u2 
ip nat static 192.168.2.20 213.1.2.20 

exit 


The last example illustrates how to perform outside address translation. It is assumed that the inside local 
address space is now 20.1.1.0/24, which overlaps with the outside network. First, an access list is created 
to identify the conflicting addresses. Then, an outside local address pool is created for use if the outside 
global address falls into the range given in the access list. The configuration commands are given below: 


interface ethernet 0/0 
ip address 20.1.1.1 255.255.255.0 
exit 


ip access-list standard conflicts 
permit ip 20.1.1.0 0.0.0.255 
exit 


interface atm 0.1 

ip nat inside overload 

ip nat outside pool po 10.2.2.1 10.2.2.254 user-list conflicts 
exit 


A route for destination 10.2.2.0/24 via the NAT router should be set at end hosts. 


4.14.4 Statistics 


Use the following command to display the NAT running configuration: 


CLI> show ip nat config 


Use the following command to display NAT global statistics: 


CLI> show ip nat statistics 

IN: 0 packets translated, 0 drops 

OUT: O packets translated, 0 drops 

Sessions: 0 active , 0 closed rejected due to memory full 
Address maps: 0 inside maps, 0 outside maps 
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Use the following command to display NAT sessions: 


CLI> show ip nat sessions 
protocol in-local:port(global:port) out-global:port (local) in/out timeout 
FastEthernet 0/0 





iomp 192.168.2.7:22662(52.0.0.4)->20.1.1.44:echo 1/1 44 
icmp 192.168.2.7:22660(52.0.0.4)->20.1.1.44:echo 1/1 44 
icmp 192.168.2.7:22658(52.0.0.4)->20.1.1.44:echo 1/1 44 
iomp 192.168.2.7:22656(52.0.0.4)->20.1.1.44:echo 1/1 44 


top 192.168.2.133:34026(52.0.0.4)->20.1.1.44:ftp 10/11 7200 
top 192.168.2.133:34029(52.0.0.4)->20.1.1.44:ftp-data 11/8 120 
top 192.168.2.133:telnet (52.0.0.4)<-20.1.1.44:1183 320/291 7168 


Note that the inside global port is missing if it is the same as inside local port and the outside local address 
will be missing when it is the same as the outside global address. Following address/port information, the 
number of outbound and that of inbound packets are given. For each NAT session, the last number of the 
text output indicates the number of seconds remaining for the session if it becomes idle. The arrow *->' 
indicates that the inside host is the session initiator. Similarly, the arrow “<-' indicates that the outside host 
is the session initiator. 


Use the following commands to display NAT address mappings: 


CLI> show ip nat mappings inside 

Atm 0.1 

Pool Inside local Inside global Sessions 
Bil. 19221:68..2 13 203 U2 1d 

pil 192.168.2.15 213.1.2.15 3 


CLI> show ip nat mappings outside 

Pool Outside local Outside global Sessions 
po 10.2.2.10 193.1.2.10 2 

por 10.22.2513 193.1221 2 


To display the timer values in NAT, use the command: 


CLI> show ip nat timers 

TCP FIN wait timer 90 sec, DNS hold timer 90 sec 
TCP idle timer 7200 sec, UDP 3600 sec, ICMP 60 sec 
Idle timer for other protocols 600 sec 

Maximum number of sessions 1000 





To display information about NAT address pools, use the command: 


CLI> show ip nat pool 

Atm 0.1 (4) 

inside address pool pil (5/5/9): head 0 tail 5 
213%de2. LO: 213182291 2134.02.02 203.223 
213.1.2.14 

inside address pool pi2 (4/4/8): head 0 tail 4 
213% eZ h5: 213s 2s Vor 233 is 22S Zs 8, 
bypass inside address 52.0.0.4/32 


Use the following show command to display the list of current NAT sessions per host: 


CLI> show ip nat per-host 
NAT sessions: 


address sessions failed max-—sessions 
192.168.10.250 17 2194 Hy) 
192.168... 102.5 f) 0 10 


To reset the statistics per-host, disable the per-host inspection command and re-enable it. 
To reset the statistic counters, use the command: 


CLI> clear ip nat counters 


To clear the NAT session table, use the command: 


CLI> clear ip nat sessions 


Be aware that in doing so, the current stateful sessions, in particular those of TCP, will be terminated at 
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end hosts. 
4.14.5 Debug and Trace 


To enable IP NAT debugging, use the following command in global mode: 


CLI> debug ip nat 


To disable IP NAT debugging, use the ‘no' form of the above-referenced command. 
Debugging for the per-host session limiting feature is enabled through the following command line: 


CLI> debug ip nat per-host 


To disable such debugging, use the no form of the above command: 


CLI> no debug ip nat per-host 


To display the current debugging modules, use the command: 
CLI> show debug 
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4.15 QUALITY OF SERVICE 


This section describes the main features of Quality of Service and its configuration. 
4.15.1 Features 


OneOS QoS implements the Differentiated Services (DiffServ) architecture, as defined by the IETF in RFC 
2475. For scalability, DiffServ offers QoS guarantees to traffic aggregates instead of individual flows. 
Packets are classified according to special criteria and marked to receive a particular per-hop forwarding 
behavior (PHB) on nodes along their path. Packets can generally be classified and marked once, typically 
at network boundary routers. Core (backbone) routers need not perform these heavy tasks. As a result 
they can handle a much higher volume of traffic. 


4.15.1.1 Services 


At present, two types of PHB are defined in addition to Default Forwarding (DF) (Best Effort service (BE)): 
Assured Forwarding (AF) and Expedited Forwarding (EF). Expedited Forwarding is specified to provide 
low loss, low latency, low jitter, assured bandwidth, end-to-end service similar to a virtual Leased Line. 
Assured Forwarding is used to offer Differentiated Services to different users or applications. Four classes 
of services have been defined in Assured Forwarding (AF1 to AF4). Within each class, an IP packet can 
be marked with one of three levels of drop precedence (AFx1 to AFx3). The standard PHBs are shown in 
the following table. 


In addition to the standard PHBs, users can conveniently define private PHBs: 


101110 Token Bucket 


AF11 001010 
cn AF12 001100 Token Bucket 
AF13 001110 
. AF21 010010 
silver AF22 010100 Token Bucket 
(AF2) 
AF23 010110 


AF41 100010 
AF42 100100 
AF43 100110 


Standard 
(Best Effort) oF | 00000 000000 


4.15.1.2 QoS Components 


Economic 
(AF4) 


Token Bucket 


Remainder 


In order to help understand and configure IP QoS, the main QoS components are briefly described here. 





AF31 011010 
eionz AF32 011100 Token Bucket 
(AF3) 

AF33 011110 


4.15.1.2.1. Flow Classification 


In terms of QoS, the first processing applied to input traffic is generally classification. Multiple methods are 
provided for this purpose: 
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e Access-lists (i.e., multi-field classifiers). Classification based on access lists can use the following 
fields in the TCP/IP header: IP source address and mask, IP destination address and mask, IP 
protocol field, a range of source port and a range of destination port for TCP/UDP traffic, as well as 
DSCP (Differentiated Services Code Point) value. 


e Simple traffic classifier using DSCP. 
e RTP traffic classifier that performs automatic recognition of RTP flows. 
e Interface traffic classifier. 


e Aclass (an aggregation of traffic flow) can be defined using any combination of the above classifiers. 
At runtime, packets are compared against the list of classifiers in configuration order. When a packet 
matches a classifier, it will receive additional processing associated with the corresponding class. 


e §=802.1p priority tag, 802.1q VLAN tag. 
4.15.1.2.2 Traffic Conditioning 


In order to enforce QoS to ingress/egress traffic on a router, QoS policy needs first to be defined for each 
class of traffic. Between a service provider and a customer, QoS guarantees are often specified as part of 
SLA (Service Level Agreement) in terms of bandwidth share and burst. In other cases, QoS policy can be 
simply defined by system administrator according to end-user's and enterprise wide requirements. 


The component, which enforces the QoS policy defined for each class is called the Traffic Conditioning 
Block (TCB or traffic policer). Traffic is first passed to a Meter which measures the traffic rate and 
determines its conformance level regarding to the traffic specification derived from the SLA or QoS policy. 
The conforming traffic, called in-profile, can be marked with a nominal DSCP (Marker) and passed to the 
next processing block. Non-conforming traffic, called out-of-profile, are processed according to their 
conformance level, for example, dropped (Dropper) or transmitted after remarking (Remarker). 


Although there are many different ways to perform traffic conditioning, only several well-known 
mechanisms are prescribed by the IETF. Our implementation supports Single Rate Three Color Marker 
(srTCM) algorithm (RFC 2697) and Two Rate Three Color Marker (trTCM) algorithm (RFC 2698). These 
two algorithms are somewhat similar. 


In srTCM, traffic conditioning is specified using three parameters: a Committed Information Rate (CIR), a 
Committed Burst Size (CBS), and an Excess Burst Size (EBS). Simply speaking, if traffic flow input to the 
Traffic Conditioning Block is under CIR and CBS, it is said conforming or green, and the conform-action 
will be applied. If traffic flow is under CIR, beyond CBS and under EBS, it is said exceeding or yellow, and 
the exceed-action will be applied. If traffic flow is beyond CIR, CBS and EBS, it is said violating or red, and 
the violate-action will be applied. 


In trTCM, traffic conditioning is specified by two token buckets: a Committed Information Rate (CIR) and its 
associated Committed Burst Size (CBS), a Peak Information Rate (PIR) and its associated Peak Burst 
Size (PBS). Simply speaking, if traffic flow input to the Traffic Conditioning Block is under CIR and CBS, it 
is said conforming or green, and the conform-action will be applied. If traffic flow is beyond CIR and CBS 
and under PIR and PBS, it is said exceeding or yellow, and the exceed-action will be applied. If traffic flow 
is beyond PIR and PBS, it is said violating or red, and the violate-action will be applied. 


Possible actions for conform-action, exceed-action and violate-action include, for example, to transmit, to 
drop, to set a new DSCP value, to set a new IP precedence, to set ATM CLP bit to 1, or any meaningful 
combination of the above. 


It could be noticed that in trTCM, if the PIR is set to a value equal to CIR, with PBS equivalent to EBS, 
trTCM gives the same result as srTCM. From this point of view, srTCM can be considered as a special 
case of trTCM. 
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QoS Processing Functions 


To be more flexible and to facilitate user configuration and deployment, the following methods are provided 
to configure the Traffic Conditioning Block: 


Using a single token (CIR, CBS). There are two levels of conformance at the output of a meter: 
conforming or exceeding. 


Using two tokens, (CIR, CBS) and (PIR, PBS), where PIR = CIR. Single-Rate Three-Color Marker 
(srTCM) algorithm is applied. There are three levels of conformance at the output of a meter: 
conforming or exceeding or violating. 


Using two tokens, (CIR, CBS) and (PIR, PBS), where PIR > CIR. Two-Rate Three-Color Marker 
(trTCM) algorithm is applied. There are three levels of conformance at the output of a meter: 
conforming or exceeding or violating. 


As mentioned above, in common sense, conforming traffic is meant as green, exceeding traffic as yellow, 
violating traffic as red. For each AF class, a different code (DSCP) is defined for each color. These codes 
can be marked in the DSCP field of IP header. 


As described in srTCM and trTCM, the Traffic Conditioning Block can work either in color-blind mode or 
color-aware mode: 


In color-aware mode, it is assumed that some preceding entity has pre-colored incoming packet 
stream (using DSCP) so that each packet is green, yellow or red. Upon an incoming packet, the meter 
determines a new color regarding to its traffic conditioning parameters. The packet changes its color 
to the resulting new color only if the latter degrades the packet's original color. For example, if the 
original color is yellow, the packet remains yellow if the new color is green; it changes to red if the new 
color is red. 


In color-blind mode, the original color of incoming packets is ignored. The color decided by the meter 
will be considered as the color of the incoming packet. 


In a deployment scenario, color-blind mode can be usually used on edge routers, while color-aware mode 
can be used on core routers located inside a DiffServ domain. 


4.15.1.2.3 Packet Marking 


After flow classification or/and traffic conditioning, packets can be marked in different ways: 


Packets are marked by setting IP precedence or IP DSCP in the IP TOS field. It allows to classify 
traffic with an IP precedence or DSCP in the IP header 


Packets are internally marked with a QoS-group. It allows applying QoS actions (later inside a router) 
without changing the packet header. 


Set the CLP bit to 1 in the ATM header. It allows to control discarding cells in congested ATM network. 
Cells with the CLP bit set to 1 are discarded before normal cells when congestion occurs. 


Set 802.1p tag. In the event, IP QoS is applied on dot11radio interface; the 802.1p value is mapped 
into a WMM CoS. 
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4.15.1.2.4 Congestion Avoidance 


Tail Drop 


Tail drop is the simplest form of congestion avoidance. Packets are dropped when FIFO queues have 
reached a certain length. It does not take into account the different classes of service and drop all packets 
without distinguish them during congestion. 


Random Early Detection (RED) 


The RED mechanism provides an alternative to avoid global synchronization issues with TCP packets 
being dropped by a tail drop algorithm. It takes advantage of TCP traffic, which can control transmission 
rate. RED makes a permanent control of the average queue size and avoids congestion by randomly 
dropping packets before queue is full. Thus, TCP detects that some packets are dropped and reduces their 
traffic transmission rate. The advantage of randomly dropping packets is not to influence the same TCP 
session. TCP traffic is thus desynchronized the link is fully utilized. But it should be reminded that the RED 
technique is intended to control TCP traffic congestion; it is not designed for UDP traffic, which does not 
have flow control. That said TCP constitutes the most heavily used network transport. 


Average Queue Size 
The average queue size avg is used to select the RED discard probability. 


It is based on the previous average and the current queue size: 





avg = previous_avg * (1 - 2%(-w)) + current_queue_size * 2% (-w) 


Where w is an exponential weighting factor configurable by the user. 


If 2* (-w) tends to 1, the average queue size is close from the real time queue size, which means avg has 
possibly an unstable value. Thus, temporary bursts will result in unnecessary traffic drop. 


If 2* (-w) tends to zero, the average queue size is not sensitive to drastic swing in size. Thus, the average 
will move slowly and it will not drop many packets during temporary bursts. 


Packet Drop Probability 


In RED, the drop decision is made according to the estimated average queue length, the minimum 
threshold, the maximum threshold, and mark probability. When the average queue length is below the 
minimum threshold, packets will never be dropped. When the average queue length is above the 
maximum threshold, all packets will always be dropped. Between the minimum and maximum threshold, 
packets will be dropped with a probability calculated according to the following formula: 





Probability of drop = Pmark x (Qmean - Tmin)/ (Tmax - Tmin) 


Where: 
e = Pmark is the mark probability 
e  Qmean is the sliding average queue size 


e Tmin is the minimum threshold 





Tmax ix the maximum threshold 


Drop 
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WRED is based on RED mechanism, but it is designed for Differentiated Services. It provides drop priority 
levels. WRED drops packets selectively based on IP Precedence or DSCP. It can selectively discard lower 
priority traffic when congestion occurs and provides differentiated performance for different classes of 
service. 


Usually, WRED is used in core routers where packets are already marked by edge routers with "traffic 
conditioning" (see above). "Traffic conditioning" determines 3 priority levels for each class, by assigning a 
DSCP/precedence value. In fact, the DSCP/drop precedence values are often referred to as three colors 
(green, yellow and red) where green packets have the highest priority and red the lowest priority. WRED 
use these priorities to determine how to process different types of traffic. It provides separate thresholds 
for different IP DSCP or Precedence values. 


WRED functions as RED but with a color-dependent processing. Depending on the packet color a different 
threshold value is used to allow an increased drop probability for red packets rather than green ones. 


Drop 
Probability 


100% | ------------------------------------ 
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red yellow green green, yellow, Average 
min min min red max A 
threshold threshold threshold threshold queues 
WRED has the same advantage as RED in that it avoids global synchronization issues and allows the 
transmission line to be fully used by randomly dropping packets before the emission queue is full. The only 
difference is that it works with different thresholds associated with colors, which provides preferential traffic 
and differentiated services. 


4.15.1.2.5 Queuing/Scheduling 


At an output interface, once a packet passes the Traffic Conditioning Block, it will be placed in the queue 
corresponding to its class (each class is mapped to a unique queue). Typically the output queues could be 
simply FIFO (first in, first out) queues. For a FIFO queue, packets are dropped when the queue is full 
(called Tail Drop). 
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In order to allow better bandwidth use and share among TCP flows, Random Early Detection (RED) and 
WRED could be also used instead of FIFO for better congestion avoidance. 


After packets are queued, the scheduler is invoked to select the queue from which the next packet will be 
transmitted. CBQ (Class Based Queuing) scheduler is available to meet the requirements of DiffServ-like 
services. In CBQ, if the guaranteed bandwidth for a class is not fully used, the remaining bandwidth can be 
used by other non-priority classes. 


If any priority traffic such as EF aggregate is not conforming to the allocated bandwidth, it is simply 
dropped. 


If any non-priority traffic such as AF aggregate is not conforming to the allocated bandwidth, there are two 
cases: 


1. If the link bandwidth is fully used, non-conforming traffic will be dropped. 


2. If a portion of link bandwidth is left unused, non-conforming and non-priority traffic can be 
transmitted and marked (or remarked) with higher drop precedence. 


4.15.1.2.5.1| CBWFQ 


CBWFQ (Class Based Weighted Fair Queuing) is an extended CBQ scheduler, which guarantees 
bandwidth share reserved for each class and also provides fair share of bandwidth for flows inside a same 
class. In our CBWFQ, flow-based WFQ is provided, which is particularly useful for flow-controlled protocols 
such as TCP. 


It is known that bandwidth share problems arise often when multiple TCP flows coexist or TCP and UDP 
flows coexist at the same time over the same link. In the worst case, the most aggressive flows will get all 
the bandwidth, and flow-controlled traffic will get no more bandwidth. This is mainly because a well- 
implemented TCP will lower sending rate (by reducing send window size, for example) when congestion is 
detected (packet loss). In practice, different TCP implementations generally do not have exactly the same 
flow control behavior. So they can get different bandwidth share over a specific link. 


With CBQ, all packets of the same class are put in the same queue. CBWFQ can be activated individually 
for each class or not. With CBWFQ, each flow inside a class is queued into a different queue. An equal 
weight inside the class is assigned to each flow, so that every flow gets a fair bandwidth share. Flows from 
different classes have implicitly different weights when the bandwidth assigned to the classes is different. A 
flow is distinguished using source and destination IP address, protocol, source and destination ports, TOS 
value. Then Weighted Round Robin (WRR) is used to schedule which queue is to be transmitted. With 
CBWFQ, bandwidth is fairly shared among all flows. An aggressive flow can no longer get more than an 
equal share of bandwidth. 


Flow-Based WFQ 


Incoming packets 
enqueue 


WFQ 
scheduler 





4.15.1.2.5.2 Transit Delay Control 


Flows that must be served with a real-time class require that the corresponding packets are classified in an 
EF class. However, when the uplink bandwidth is very small, the performance obtained with standard 
parameters might not be sufficient. Tuning transit delays is possible using several techniques. But the user 
should be aware that changing such default parameters can impact significantly the device routing 
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performance. 


To understand how to tune transit delays, a glance at the scheduling algorithm is useful. The IP QoS 
scheduler functions as follows: 
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6) Interface Driver Component 
CBQ Queues 


The interface driver has a transmit ring. The transmit ring (tx-ring) is a sort of queue where ready-to- 
sent packets are leaved. The interface driver picks packets from the tx-ring at the interface speed. 


The scheduling steps are the following: 


1. The scheduler puts all packets from the EF queues in the tx-ring until the EF queues are 
empty 


2. The scheduler takes packets from the AF and BE classes according to their configured 
respective bandwidth. If one or more AF/BE classes do not use all their configured bandwidth, 
the remaining bandwidth is redistributed among all queues with remaining packets 


3. Ifthe tx—ring is full, the scheduler stops emitting and does not complete step 2. 


4. When the tx-ring is empty or when a short QoS watchdog timer is expired, the scheduler 
wakes up again. 


5. The scheduler looks first if there are packets in EF queues (before completing the step 2 that 
was eventually not finished previously) 


6. The scheduler completes the step 2, if not finished previously. 


Note: this algorithm is valid for CB-WFQ and CBQ. CB-WFQ only has an influence in the order by which 
packets from an AF class go out of the CoS queue(s). 


Latency can thus be reduced by setting the number of frames stored in the tx-ring. (See: "tx-ring 
max-buffers <num-of-frames>" of "tx-ring max-latency" commands under interface 
configuration mode). The maximum latency resulting from queuing for a packet from the high priority class 
is: 


Latency = ( MTU * tx-ring ) / line-speed 


To configure the tx-ring under an ATM PVC, on any product except the ONE20/100, you configure the 
maximum number of frames in the tx-ring, which corresponds to the maximum latency: 


CLI (configure)> interface atm 0.<id> 

CLI(config-if)> pve {ipoa | pppoa | pppoeoa} vpi <vpi> vei <vci> 
CLI (pvc)> tx-ring max-buffers <nb-buffer> 

CLI (pvc) > execute 


On the ONE20/100, the tx-ring is considered full if a certain quantity of data is stored in the tx-ring. 
You only need then to configure the maximum latency: 


CLI (configure)> interface atm 0.<id> 

CLI (config-if)> pve {ipoa | pppoa | pppoeoa} vpi <vpi> vei <vci> 
CLI (pvc) > tx-ring max-latency <milliseconds> 

CLI (pvc) > execute 
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Reducing this number can make the QoS processing more pre-emptive (i.e. the scheduling algorithm is 
often interrupted), thereby resulting in degraded routing performance. 


For a casual application case (PPP over leased line, 512 kbps, MTU = 1500 bytes, tx-ring = 6), the 
worst-case latency is 140 ms. To further reduce transit delays, the Link Fragmentation and Interleaving 
(LFl) is used. The interleaving consists of inserting the priority packets (packets from the EF queues) at the 
beginning of tx-ring, namely after the second frame in the tx-ring or after the last priority packet if 
there are any in the tx-ring. Therefore the worst-case latency is equivalent to the serialization time of 
two large frames, i.e. latency = 2 * frame-size / line-speed. While interleaving has a significant effect on 
low-speed links, it has a relative low impact on high-speed accesses. 


To improve further performance, the frame-size can be reduced using fragmentation (FRF.12 or MLPPP 
fragmentation). 


4.15.1.2.5.3 Shaping on an Interface Supporting more than one VLAN 


If several VLAN are configured on an interface, a QoS policy can be applied under certain conditions. The 
QoS policy is applied on the physical interface (efm <x>, atm-aal5 <x>.<y> or fastEthernet 
<x>/<y>). As first step of QoS processing, every packet is put in a class of service. The classification 
criteria can be: 


e §€802.1p tag 





e _ Input interface (so it could map to a 802.1q tag) 
e DiffServ class: DSCP, precedence 

e RTP port range 

e Any standard or extended access list 

e = Virtual QoS group 


Then, for each class, one must assign a nested QoS policy to deal with shaping and policing. The nested 
QoS policy offers the same services as those offered for layer-3 QoS, namely: 


e Marking: 802.1p tag, DSCP, precedence, QoS group 

e Policing: single-rate / two-rate traffic conditioning (re-marking / dropping) 
e __ DiffServ-compliant Class-Based Queuing 

e Congestion avoidance: RED/WRED, CB-WFQ 


The sum of all bandwidths configured within the nested QoS policies must not exceed the line rate. 
Unused bandwidth by certain classes can be re-used by other classes (of the same or of other nested 
policies according to the remaining bandwidth sharing parameters). 


If policy-maps for layer-3 services are nested in classes of a policy-map for layer-2 services, the sum of 
bandwidth inside a layer-3 class must be lower than the supporting VLAN CIR. The scheduler will serve 
the bandwidth of sub-policies first and will redistribute bandwidth inside each sub-policy up to VLAN CIR. If 
there is remaining bandwidth to share, VLAN priority is used. IP queues are served according to their 
weights if the VLAN EIR is served. 


4.15.2 Configuration Commands 


Configuration of IP QoS can be accomplished in four steps: 


1. Classification: to classify packets into a specific class by defining a class-map applied to either 
input or output interfaces. 


2. Policing: to limit the rate and burst for a specific traffic class. 


3. Marking: to set the DSCP field of the IP header to a specific value by defining a policy-map 
associated with either input or output interfaces. 


4. Scheduling: To guarantee the specified bandwidth for each class, with different priorities. 


The data path for QoS processing is as follows: 
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4.15.2.1 Classification 


To create a new class, use the class-map command: 

CLI (configure)> class-map [ match-all | match-any ] <name> 
This command will create the named class if it does not exist already. With this command one can specify 
the logical function to be used when multiple matching rules are configured. The default is to apply a 


logical "AND" (match-all) on all matching rules of the class. If one needs to apply a logical "OR" for 
contained rules instead, use the following command: 


CLI (configure)> class-map match-any <name> 
The order in which the matching rules are configured does not pertain to the matching result. In the 
implementation, the rules are checked in configuration order. 
The user can rename an existing class by using the following command: 

CLI (config-cmap)> rename <new-name> 


CLI (config-cmap)> exit 


The user can add rules or classifiers in a class-map by using the match commands (see below). To 
remove an existing rule from a class-map, use the 'no match' commands. Do not confuse them with the 
‘match not' command, which means the rule is negated. 


A class-map can be empty. Thus traffic will not be selected by an empty class-map. 
4.15.2.1.1 Classification Using Access Lists 


If packets are to be classified using the IP header fields, users can use access lists (see the IP Access 
Lists configuration guide for more information). To do so, one needs first to create an access-list and then 
give the name of the access-list in the class-map. A simple example is given as follows: 


CLI (configure)> ip access-list standard qos_acl 
CLI (ip-acl-std)> permit 1.2.3.4 
CLI (ip-acl-std)> exit 
Then, the corresponding match rule to add to the class c1 would be as follows: 


CLI (configure)> class-map cl 
CLI (config-cmap) > match access-group qos_acl 
CLI (config-cmap)> exit 


To create a negative rule, (i.e., a packet matches if it doesn't match the filter), use the following form of the 
command: 


CLI (config-cmap)> match not access-group qos_acl 
4.15.2.1.2 Classifier Matching All Packets 


To select all packets passing through this class-map, using the following command: 


CLI (config-cmap)> match any 


To select null traffic (to temporarily disable a class-map for example), one can use the negative match 
command: 


CLI (config-cmap)> match not any 
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4.15.2.1.3 Classifier Matching an Input Interface 


The user can set a class to include all packets coming from a specific interface: 


CLI (config-cmap) > match input-interface <type> <unit> 


Any packets coming from an interface are excluded: 


CLI (config-cmap)> match not input-interface <type> <unit> 
4.15.2.1.4 Classifier for RTP Traffic 


To select real time traffic such as voice and video, encoded in Real Time Protocol (RTP) format, an 
embedded RTP filter in the class-map can be used. Note that RTP runs on top of UDP. Use the following 
command: 


CLI (config-cmap)> match ip rtp <lower-port> <port-—range> 


The negative rule is: 


CLI (config-cmap)> match not ip rtp <lower-port> <port-range> 
4.15.2.1.5 Classifier Matching a DSCP Field 


The user can set a class to match packets with some specific DSCP values: 


CLI (config-cmap)> match ip dscp <valuel> [<value2>] ... [<value8>] 


The negative rule is: 





CLI (config-cmap)> match not ip dscp <valuel> [<value2>] ... [<value8>] 
4.15.2.1.6 Classifier Matching an IP Precedence Value 


The user can set a class to match packets with specific IP precedence values in the TOS field: 


CLI (config-cmap)> match ip precedence <valuel> [<value2>] ... [<value4>] 


The negative rule is: 





CLI(config-cmap)> match not ip precedence <value 1> [<value2>] 
[<value4>] 


4.15.2.1.7 Classifier Matching a Virtual QoS Group 


The Virtual QoS Group is used to internally mark a traffic flow, typically using a policy-map at input 
interface, (see below to configure a policy-map). At output interface, the user can use QoS Group to select 
packets marked at input interface: 


CLI (config-cmap)> match ip qos-group <group-value> 


The negative rule is: 





CLI (config-cmap)> match not ip qos-group <group-value> 
4.15.2.1.8 Classifier Matching 802.1p Tag 


If the QoS policy is applied on Ethernet interface input, we can classify packets based on their 802.1p tag 
as follows: 


CLI (configure) > class-map match-any vlan-prio 
CLI (config-cmap)> [no] match [not] cos <cosl> [<cos2> [<cos3> [<cos4>]]] 





The values of <cos> are integer numbers ranging from 0 to 7. 
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4.15.2.1.9 Classifier Matching 802.1q Tag 


If the QoS policy is applied on Ethernet interface input, we can classify packets based on their 802.1q tag 
as follows: 


CLI (configure)> class-map vlanl01 
CLI (config-cmap)> [no] match [not] vlan <vlan-idl> [<vlan-id2> 
[<vlan-id3> [<vlan-id4>]]] 





The <vlan-id> values are integer numbers ranging from 0 to 4096. 
4.15.2.1.10 Classifier Matching an other Class 


Combining logical "AND" and "OR" is not possible within a class-map. But it is possible by using several 
different class-maps and the "match ip class-map" command. This provides a simple method to 
create complex classifiers. An example is given below: 


CLI 
CLI 
CLI 
CLI 
CLI 
CLI 
CLI 
CLI 


configure)> class-map match-all c2 
config-cmap)> match input-—interface Atm 0.1 
config-cmap)> match ip dscp 35 
config-cmap)> exit 

configure)> class-map match-any c3 
config-cmap)> match ip class-map c2 
config-cmap)> match ip rtp 1024 10000 
config-cmap)> exit 


The packet, which either meets all conditions of c2, or is an RTP packet whose port is between 1024 and 
11024, matches the class c3. 


The negative rule is: 


CLI (config-cmap)> match not ip class-map <class-—name> 
4.15.2.2 Policing, Marking, and Scheduling 


Policing, marking and scheduling are configured by using a policy-map. A policy-map contains a set of 
classes associated with QoS parameters that are necessary to perform a policy action such as marking or 
dropping. To create a policy-map, use the following command: 


CLI (configure) > policy-map <policy-name> 


The user can rename an existing policy-map by using the following command: 





CLI (config-pmap)> rename <new-policy-name> 
CLI (config-pmap) > exit 
Then, as needed, the user adds to a policy map the classes created by using the class—map command: 
CLI (config-pmap)> class <class-—name> 
This command, if successful, will enter into policy class configuration mode. Then the user can configure 
policy parameters for that class. A policy-map is never empty: the default class called 'class-default' is 
automatically added to a policy-map. It matches any traffic, which does not match any user-defined class. 


The class-default always uses the remaining bandwidth, which must not be zero. As a result, the user can 
not configure the bandwidth parameter on the class-default. 


4.15.2.3. Traffic policing 


For each class in a policy-map, the user can optionally configure traffic policing. Traffic policing is enabled 
only if the CIR (Committed Information Rate) is configured to a value other than zero. 


To configure the Committed Information Rate (CIR) and optionally the Committed Burst Size (default CBS 
value 4500 bytes) for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police {cir <cir> | cir-percent <percent>} [<cbs>] 


The CIR token (cir, cbs) is specified in Kbits per second (cir) and number of bytes (cbs). If cir is set 
to zero, that disables traffic policing on that class. 
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All other traffic policing parameters are optional. By default, the peak rate and burst are not set; the 
conform-action is set to transmit; the exceed-action set to drop; the violate-action set to drop; the color- 
aware mode is not enabled. 


To configure the Peak Information Rate (PIR) and optionally the Peak Burst Size (default PBS value 12500 
bytes) for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police pir {<pir> | pir-percent <percent>} [<pbs>] 
The PIR token (pir, pbs) is specified in kops (pir) and number of bytes (pbs). The parameter PIR must 
be greater than or equal to CIR. If it is strictly greater than CIR, traffic is conditioned in the same way as 


specified by trTCM (RFC 2698). If it is equal to CIR, the burst PBS should be greater than CBS. In this 
case, traffic is conditioned in the same way as specified by srTCM (RFC 2697). 


To configure the conform-action for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police conform-action { transmit | drop | 


set-—dscp-transmit <dscp-value> | set-prec-transmit <prec-value> | 
set-group-transmit <qos-group> | set-clp-transmit | 
set-de-transmit | set-cos-transmit <cos> } 


To configure the exceed-action for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police exceed-action { transmit | drop | 


set-—dscp-transmit <dscp-value> | set-prec-transmit <prec-value> | 
set-group-transmit <qos-group> | set-clp-transmit | 
set-de-transmit | set-cos-transmit <cos> } 


To configure the violate-action for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police violate-action { transmit | drop | 


set-—dscp-transmit <dscp-value> | set-prec-transmit <prec-value> | 
set-group-transmit <qos-group> | set-clp-transmit | 
set-de-transmit | set-cos-transmit <cos> } 


The violate-action makes sense only if the PIR is configured. 
To enable the color-aware mode, use this: 
CLI (cfg-pmap-c)> police color-aware <green-dscp> 


[ <yellow-dscp> [ <red-dscp> ] ] 


For the classes AF1 to AF4, only green DSCP is required (yellow and red DSCP can be derived from the 
class). For any other class for which no standard codes are defined, all three DSCP values should be 
specified. 


To remove or disable a traffic policing parameter, use the 'no' form of the corresponding command. 
Traffic policing can be also applied to the class-default. A policy-map with traffic policing configured can be 
applied either to an input interface or an output interface, whichever is appropriate. 


4.15.2.4 Bandwidth Setting 


If a class is a non-priority class, reserve bandwidth required by the class using the following command: 


CLI (cfg-pmap-c)> bandwidth <kbps> 


Or, alternatively the bandwidth can be specified in percent, 
CLI (cfg-pmap-c)> bandwidth percent <1-99> 
If a class is a priority class, reserve the bandwidth required by the class using the following command. The 


burst parameter can optionally be forced in the command. If excess-allowed is used, the priority class will 
also take advantage of the remaining bandwidth distribution based on priority described in 4.15.2.5.2. 


CLI (cfg-pmap-c)> priority <kbps> [<burst-—in-bytes>] [excess—allowed] 


Or, alternatively the bandwidth can be specified in percent: 


CLI (cfg-pmap-c)> priority percent <1-99> [<burst>] [excess—allowed] 


Note: The OneOS implementation requires that 10 kbps are reserved for the default class. 
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The priority class has fixed maximum guaranteed bandwidth (without excess—allowed). The normal 
priority class has minimum guaranteed bandwidth. The remaining bandwidth, after user configuration, is 
given to the default class. The unused bandwidth, at run time, is dynamically shared among all normal 
priority classes and the default class, and the priority classes with excess-allowed. 


The bandwidth for all user-defined classes can be specified in absolute value, or in percent, or using both 
(see latter this section for a configuration example). No matter which method is used, the following rules 
must be respected: 


1. The sum of all absolute bandwidth values must be strictly less than the total bandwidth of the 
interface on which the policy-map will be applied. 


2. The sum ofall bandwidth percentages must be strictly less than 100 percent. 


3. If both absolute values and percentages are used, both above-conditions must always be met. 
Classes with bandwidth in absolute value will have their bandwidth reserved, whereas the 
classes with bandwidth in percent will have their bandwidth computed as _ follows: 
(B-Sum(ABSi) ) xPk, where B is the interface bandwidth, ABSi is the absolute bandwidth for 
class i and Pk is the percentage for class k. The result must be strictly greater than 0. 


When the above conditions are not met, attaching the policy-map to an output interface will fail. 


The reserved bandwidth per class is the data rate over the underlying data link. The IP QoS scheduler 
component estimates bandwidth usage for each class by adding extra bytes to every packet during 
shaping calculation. The extra bytes represent all lower layer headers, padding, as well as trailers, 
required by a specific network interface protocol. 


One could be surprised by the impact of layer-2 headers: a user flow could be sent at a rate much below 
the reserved rate, but packets are being lost. This is because of a large difference between the IP packet 
size and fixed ATM cell size. For example, an IP packet of 40 bytes (such as TCP ACK or UDP 
datagram’s) will be typically concatenated with a 8- byte IPoA header and a 8-byte AAL5 trailer, which 
makes 56 bytes overall. It will be sent using two ATM cells (48-bit payload + 5-bit ATM header). As a 
result, the IP input rate (assuming all packets are of the same length) will be multiplied by 106/40, i.e. more 
than doubled. In that case, even if user sends data at a rate much lower than the reserved rate, the ATM 
VC is already saturated and a portion of packets is dropped. Therefore if the data flow within a class is 
composed of small sized packets, the bandwidth provisioning should take this effect into account. For large 
packets (longer than 1000 bytes), the impact of layer-2 overhead is generally not as much visible. 


4.15.2.5 Remaining Bandwidth Distribution Management 


Usually, all IP classes of service do not fully use their allocated bandwidth simultaneously. There are some 
classes receiving less traffic than the reserved bandwidth, thus allowing the other AF and default classes 
to get more bandwidth. The next paragraph explains how this remaining bandwidth is shared. 


When iterating, the IP QoS scheduler has an overall quantity of data to emit which corresponds to the 
interface bandwidth. During this iteration, the scheduler sends a quantity of data for each class in order to 
guaranty that each class gets at least their respective configured bandwidth. If the overall quantity of data 
to emit has not been fully used, the scheduler can emit additional data from AF and best-effort queues. 


The remaining bandwidth distribution is by default based on the weight of the classes (see 4.15.2.5.1). It 
can optionally be based on the excess rate priority of the classes (see 4.15.2.5.2). This excess rate priority 
mechanism can be used, for example, to manage the remaining bandwidth differently for two classes 
having the same weight (the same reserved bandwidth). 


4.15.2.5.1 Remaining Bandwidth Distribution based on weight 


The quantity of data taken from each queue depends on the weight of the class. 
By default, the weight of a class is equal to: 
Weight = ( class_bandwidth / ip_interface_bandwidth ) x 100 


The sum of all weights is equal to 100. This means a class gets a remaining bandwidth that is proportional 
to its bandwidth. 


To override the default weight, use the following command under class configuration in a policy-map: 


CLI (cfg-pmap-c)> remaining-bw-share <weight> 


<weight> can range from 1 to 99. 


Page 4.15-367 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


The remaining bandwidth share is equal to the class weight divided by the sum of weights of 
classes having remaining bandwidth to emit. 


Let us take an example to make things clear; assume we have 4 classes: 

e One EF class, with a guaranty of 15% bandwidth uplink, real usage = 10% 

e  AF1 class, with 40% of uplink bandwidth, fully used (>40%), weight = 40 

e AF2 class, with 30% of uplink bandwidth, real usage = 10%, weight = 30 

e Best effort class, (remaining reserved = 100—10—40-30 = 20%), fully used (>20%), weight = 20 


In order to serve all classes with their guaranteed bandwidth, 80 % of the interface bandwidth is used 
(10+40+10+20). 20% of the interface bandwidth have to be redistributed between the class AF1 and BE. 
By applying the formula above, we find the following bandwidth sharing: 


Share (AF1) = weight (AF1) / ( weight (AF1) + weight ( 
Share (BE) = weight (BE) / ( weight (AF1) + weight (BE 





BE) ) = 66,7% 
) ) = 3373% 











To restore the default weights for remaining bandwidth sharing, use the following command: 


CLI (cfg-pmap-c)> default remaining-—bw-share 
4.15.2.5.2 Remaining Bandwidth Distribution based on priority 


This mechanism is automatically activated as soon as at least one class or sub-class of the policy is 
configured with the following command (0 is the lowest priority, 7 is the highest priority): 


CLI (cfg-pmap-c) > excess-rate-priority <0..7> 
The default priority is 0 (the lowest) for classes without excess rate priority including the main class level. 
At sub-class level (classes defined in a sub-policy referenced in the main policy applied to the interface), 


by default the sub-classes inherit the priority of their main class. This inherited priority can be overridden 
by configuring a different excess rate priority in the sub-classes. 


The excess rate priority mechanism is deactivated, with return to the weight algorithm, as soon as the 
following command is entered for all the classes and sub-classes: 


CLI (cfg-pmap-c)> no excess-rate-priority 
When the excess rate priority mechanism is activated, all classes of the same priority are serviced before 


the classes of lower priority. Lower priority classes are serviced only if there remains unused bandwidth 
after the higher priority classes have been serviced. So it is a strict priority de-queuing. 


The EF (high-priority) classes are only concerned when excess-allowed is used otherwise they are strictly 
limited to their guaranteed bandwidth. AF classes (medium-priority) are concerned. As so the class- 
default class can also be attributed an excess-rate-priority. 


For classes of the same priority, the remaining bandwidth attribution is done using the weight algorithm 
(see 4.15.2.5.1). 


4.15.2.6 Flow Based CBWFQ 


For each class, the user can configure flow-based WFQ and optionally, specify the maximum number of 
dynamic queues to be reserved. To enable flow-based WFQ, use the following command: 


CLI (cfg-pmap-c)> fair-queue [ <number-of-dynamic-—queues> 


[ <dynamic-queue-length> ] ] 


By default, the maximum number of dynamic queues is set to 256. It must be equal to a power of 2 (to use 
some arithmetical properties of binary calculation) and ranges from 16 to 4096. The queue length is by 
default 10 and can range from 1 to 60. To avoid memory exhaustion, the total number of packets for a fair- 
queue class must be less than the queue-limit configured in the next section. 


To disable this feature, use the following command: 


CLI (cfg-pmap-c)> no fair-queue 
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4.15.2.7 Queue Size 


For each class, the user can set the queue size, i.e. the maximum number of packets that can be placed in 
the queue: 


CLI (cfg-pmap-c) > queue-limit <queue-size> 


To return to the default value, which is 50 (packets): 





CLI (cfg-pmap-c)> default queue-limit 
4.15.2.8 RED, WRED and ECN 


The user can also enable Random Early Detection (RED) and Explicit Congestion Notification (ECN) for 
each class. To enable RED, use the following command: 


CLI (cfg-pmap-c) > random-detect 


To disable it, use the following command: 

CLI (cfg-pmap-c)> no random-detect 
If RED is enabled, the maximum threshold is the queue size, and the minimum, half the queue size. The 
mark probability is internally set to 1/10, and the exponential weighted moving average (EWMA) 1/64. 


To enable WRED based on DSCP value (gold/yellow preferred to gold/red preferred to silver/green ...etc.), 
use the following command: 


CLI (cfg-pmap-c)> random-detect dscp-based 


To disable WRED, use the following command: 

CLI (cfg-pmap-c)> no random-detect dscp-—based 
To specify the minimum and maximum threshold, and optionally the mark-probability denominator for each 
DSCP value, use the following command: 

CLI (cfg-pmap-c)> random-detect dscp <dscp-value> <min> <max> [<mark-pro>] 
To set the default minimum and maximum threshold, and optionally the mark-probability denominator for 
each DSCP value, use the following command: 

CLI (cfg-pmap-c)> no random-detect dscp <dscp-value> 
To enable WRED based on precedence value (Gold preferred to Silver, preferred to Bronze... and so on), 
use the following command: 


CLI (cfg-pmap-c)> random-detect prec-—based 


To disable it, use the following command: 

CLI (cfg-pmap-c)> no random-detect prec-—based 
To specify the minimum and maximum threshold, and optionally the mark-probability denominator for each 
precedence value, use the following command: 

CLI (cfg-pmap-c)> random-detect precedence <prec-value> <min> <max> 

[<mark-pro>] 

To set the default minimum and maximum thresholds and, optionally, the mark-probability denominator for 
each precedence value, use the following command: 


CLI (cfg-pmap-c)> no random-detect precedence <prec-value> 


To enable WRED based on qos-group value, use the following command: 


CLI (cfg-pmap-c)> random-detect qos-—group-—based 


To disable it, use the following command: 


CLI (cfg-pmap-c)> no random-detect qos-—group-—based 
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To specify the minimum and maximum thresholds and, optionally, the mark-probability denominator for 
each qos-—group value, use the following command: 


CLI (cfg-pmap-c)> random-detect qos-group <qos-group-value> <min> <max> 
[<mark-pro>] 
To set the default minimum and maximum threshold, and optionally the mark-probability denominator for 
each qos-group value, and, use the following command: 
CLI (cfg-pmap-c)> no random-detect gos-group <qos-group-value> 
To configure the exponential weight factor used to calculate the average queue size, use the following 
command: 


CLI (cfg-pmap-c) > random-detect exponential-—weighting-constant 


To set the default exponential weight factor value, use the following command: 
CLI (cfg-pmap-c)> no random-detect exponential-—weighting-constant 

Explicit Congestion Notification (ECN) is a special feature of the TCP protocol, enabling to warn the remote 
TCP end that congestion is happening. Normally, congestion is controlled through the embedded flow 
control of TCP, which reduces the emission rate when a packet is dropped. Setting ECN when queues 
have reached a certain length enables to manage flow control before packets are dropped, thus optimizing 
the performance of TCP. ECN is made up of two bits. The first one indicates whether or not the ECN 
feature is supported. The second bit is permitted to be marked if the first bit is set. The queue length after 
which the ECN processing is activated corresponds to the RED/WRED threshold: if packets are queued 


when threshold are crossed, they can be marked. ECN takes effect only if RED or WRED is enabled and is 
disabled by default. To enable ECN, use the following command: 


CLI (cfg-pmap-c) > random-detect explicit-—congestion-notification 


To disable ECN, use the following command: 


CLI (cfg-pmap-c)> no random-detect explicit—congestion-notification 
4.15.2.9 DSCP Marking 


For each class in a policy-map the user can optionally set the DSCP value in the IP header: 


CLI(cfg-pmap-c)> [no] set ip dscp <0-63> 


Or, to set the IP precedence value, use the following command: 


CLI(cfg-pmap-c)> [no] set ip precedence <0-7> 
4.15.2.10 Virtual QoS Group Marking 


As previously mentioned, it is possible to internally mark a traffic flow. This is useful to perform 
classification at input interface and scheduling at output interface. To set a QoS group value to a class, use 
the following command: 


CLI(cfg-pmap-c)> [no] set qos-group <value> 
4.15.2.11 CLP Marking 


For each class in a policy-map, user can optionally set ATM CLP bit to 1. 


CLI (cfg-pmap-c)> [no] set atm-clp 
4.15.2.12 FR DE Marking 
Alternatively, if the uplink is Frame Relay based, we can set the DE bit of every packet handled by this 


policy 
CLI (cfg-pmap-c)> [no] set fr-de 
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4.15.2.13 802.1p Tagging 


The 802.1p tag can be set with the next command: 


CLI (cfg-pmap-c)> [no] set cos <0..7> 


Note that the 'set cos’ statement overrides the default priority tagging activated on the interface. 
N.B.: 


e The'set cos' statement only makes sense on an interface where dot1Q encapsulation is enabled or 
if the interface is dot1 1radio. 


e —_ Policy-map can be applied as input or output service-policy. 
e CoS value configured using a policy-map overwrites default CoS value configured under interface. 


e Setting 802.1p user priority bits on a non-dot1Q interface will not fail. The behavior depends of 
interface type: 


e Ondot1 radio, the VLAN is not present, no tagging is performed. Nevertheless, the information 
is used by the driver to prioritize outgoing traffic. 


e Onall interfaces, the command virtually sets CoS on packets. 
4.15.2.14 Policy Nesting 
A policy can be used inside a class allowing the user to set a rich QoS, mixing classification, policing and 


shaping; for example mixing layer-3 classification and layer-2 shaping. 


To insert a previously defined policy in a class, use the following command in policy map class 
configuration mode: 


CLI (cfg-pmap-c)> [no] service-policy <policy-name> 
4.15.2.15 Attaching a Policy to an Interface 
Finally, the QoS parameters that have been defined are applied to an interface either in the input or the 


output direction. 


First, the user should specify the total bandwidth that is to be used at a given output interface. If this is not 
done, the total bandwidth is set by default to the link bandwidth. 


CLI (configure)> interface <type> <unit> 


CLI (config-if)> bandwidth <kbps> 


Important Note: if no output policy is attached to the interface, an implicit bandwidth shaping is 
applied to limit the traffic on the interface to the total bandwidth. The applied shaping is a CIR 
without EIR (no excess bandwidth allowed) with a single rate token bucket mechanism. 


The user can specify a policy-map in the output direction to apply the defined QoS parameters: 


CLI (config-if)> service-policy output <policy-map> 


On the average, the scheduler will strictly limit the specified bandwidth of the interface and allow fair 
sharing of bandwidth among all defined classes. 


The user can also specify a policy-map in the input direction if required: 


CLI (config-if)> service-policy input <policy-map> 


Again, at an input interface, the service policy classify can be used to classify, police, and mark traffic. 


4.15.3 Configuration Examples 


In this section, the following examples are given to illustrate: 


e Basic bandwidth management at output interface with CBWFQ. 
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e Bandwidth reservation over multiple interfaces. 
e Class based traffic policing. 
e — Input rate limiting. 


e Remaining bandwidth distribution. 
4.15.3.1_ Output Bandwidth Management 


There are three classes in this example: the EF class, AF1 class and the Best Effort class. RTP voice 
traffic is placed in the EF class, FTP traffic into AF1, and all remaining into the Best Effort class. An access 
list is used to classify FTP traffic (the FTP server could be found inside or outside the private network). The 
following commands create the required access list and class-maps: 


= Internet 


ATM interface 

















RTP source 


Private Network 
192.168.2.0 


ip access-list extended ftp-acl 

permit tcp 0.0.0.0 255.255.255.255 21 0.0.0.0 255.255.255.255 
permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 21 
permit tcp 0.0.0.0 255.255.255.255 20 0.0.0.0 255.255.255.255 
permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 20 
exit 


class-map afl 
match access-group ftp-acl 
exit 


class-map ef 
match ip rtp 9000 5000 
exit 


Now, define a policy, which contains three classes: 
e The EF class is a priority class and takes 80 kbps (for one non-compressed voice channel). 


e The AF1 class is not a priority class and takes 300 kbps. For traffic matching this class, the 
DSCP is set to that of the AF1 class. In addition, RED and ECN are enabled. 


e No action is performed for the default class, except that fair queuing (WFQ) is enabled 40. The 
default class will take the interface bandwidth minus the bandwidth allocated to the EF and 
AF1 classes. 


policy-map demo 
class ef 
priority 80 
queue-limit 40 
exit 


class afl 

set ip dscp 10 

bandwidth 300 

random—detect 
explicit—congestion-notification 
exit 


class class-default 
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fair-—queue 
exit 
exit 


Finally, apply the policy to the right interface: 


interface Atm 0.1 
bandwidth 2000 
service-policy output demo 
exit 


4.15.3.2 Bandwidth Reservation over Multiple Interfaces 


In this example, it is shown how to define a policy-map, which can be applied to multiple interfaces, for 
example, a primary interface and a backup interface. The same classes used in the last example will be 
used here. As the priority class EF requires fixed bandwidth, its bandwidth is specified in absolute value. 
The non-priority class AF1 and the class-default will each get 50% of the remaining bandwidth. The 
configuration commands are as follows: 


policy-map demo 
class ef 
priority 80 
queue-limit 20 
exit 


class afl 

set ip dscp 10 
bandwidth percent 50 
random-—detect 

exit 


class class-—default 
queue-limit 40 

exit 

exit 


Apply the policy to the right interfaces: 


interface Atm 0.1 
bandwidth 2000 
service-policy output demo 
exit 


interface Serial 0.1 
bandwidth 128 
service-policy output demo 
exit 


On the interface Atm 0.1, the EF class will get 80 kb/s, the class AF1 and the class-default each get 960 
kb/s. On the interface Serial 0.1, the EF class will get 80 kb/s, the class AF1 and the class-default each get 
only 24 kb/s. 


4.15.3.3. Class based Traffic Policing 


In this example, traffic conditioning using ttTCM (Two Rate Three Color Marker) is illustrated. In the first 
policy-map, the class AF 1 is still used as an example. The traffic flows within AF1 are guaranteed to send 
as much traffic as 500 kbps (committed information rate) with 10 kbps burst. Traffic below this rate is 
marked green (AF11). The traffic aggregate within AF1 can be accepted as much as 800 kbps (peak 
information rate) with 20 kbps burst. Traffic below this rate is marked yellow (AF 12). If the traffic aggregate 
within AF1 goes beyond this rate, known as red, it is always dropped (though it can be marked as red and 
transmitted). In addition, color-aware mode is enabled, it means that input packets pre-colored as yellow or 
red will have higher drop probability than the green ones. This policy-map is attached to the input interface, 
FastEthernet 0/0. 


The configuration commands are as follows: 


policy-map diffserv-tcb 
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class afl 


police 
police 
police 
police 
police 
police 
exit 

exit 


cir 500 10000 

pir 800 20000 

conform-action set-dscp-transmit afl1l 
exceed-action set-dscp-transmit af12 
violate-action drop 

color-aware afll af1l2 af13 


4.15.3.4 Input Rate Limiting 


In this example, a policy-map is defined for input rate limiting and attached to FastEthernet 0/0. All traffic 
received on FastEthernet 0/0 should not exceed 1 Mbps (as CIR). Non-conforming traffic is simply 
dropped. No actions need to be configured since the default conform-action is to transmit; the default 
exceed-action is to drop. 


The configuration commands are as follows: 


policy-map in-rate-limit 
class class-—default 


police 
exit 
exit 


cir 1000 20000 


interface FastEthernet 0/0 
service-policy input in-rate-limit 


exit 


4.15.3.5 Remaining bandwidth distribution 


In this example, the line rate is 2 Mbps. Two VLAN, 101 and 102, have a 400 kbps CIR with each two 
layer-3 class policies (250+150 kbps). VLAN 101 has excess rate priority 1, VLAN 102 has priority 2. 


The scheduler will first serve the layer-3 classes up to their configured bandwidth. Then, inside each 
VLAN, the bandwidth up to the CIR will be allocated to the default class, then again to the layer-3 classes 
and the best effort class. The remaining bandwidth will first be allocated to VLAN 101 (priority 1) classes 
according to their weights then to VLAN 102 (priority 2) when VLAN101 queues are emptied. 


The configuration commands are as follows: 


class-map vlani01 
match vlan 101 


exit 


class-map vlan102 
match vlan 102 


exit 


class-map internet-vlan101 
match access-group internet1l 


exit 


class-map data-vlanl101 
match access-group datal 


exit 


class-map internet-—vlan102 
match access-group internet2 


exit 


class-map data-vlan102 
match access-group data2 


exit 


policy-map vlan101Shaper 
class internet-vlanl101 
bandwidth 250 


exit 


class data-vlanl101 
bandwidth 150 


exit 
exit 
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policy-map vlanl02Shaper 
class internet-vlan102 
bandwidth 250 
exit 
class data-vlanl102 
bandwidth 150 
exit 
exit 


! Main Shaper 
policy-map vlanShaping 
class vlani0l 
bandwidth 400 
service-policy vlan101Shaper 
excess-rate-priority 1 
exit 
class vlan102 
bandwidth 400 
service-policy vlanl02Shaper 
excess-rate-priority 2 
exit 
exit 


interface atm-aal5 0.1.1 
ip address 10.10.1.1 
encapsulation dotlq 101 

exit 

interface atm-aal5 0.1.2 
ip address 10.10.1.2 
encapsulation dotlq 102 

exit 

interface atm-aal5 0.1 
pve vpi 1 vci 32 

qos ubr pcr 2000000 
execute 
service-policy vlanShaping output 
exit 


4.15.4 Statistics 


At any stage of the configuration, information about the configured QoS settings can be displayed. 
To display the matching rules about a class: 


CLI> show class-map [<class-—name>] 


If the class name is missing, all existing classes will be displayed. For example: 


CLI> show class-map ef 
class-map match-all ef 
match ip rtp 9000 5000 
exit 


To display the policy settings of a policy: 


CLI> show policy-map demo 
policy-map demo 

class afl 
explicit-—congestion-notification 
random-—detect 

bandwidth 300 

set ip dscp 10 

exit 

class ef 

queue-limit 20 

priority 80 

exit 

class class-—default 
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queue-limit 55 
exit 
exit 


If the policy name is missing, all existing policies will be displayed. 


To display only the information about a class ina 


CLI> show policy-map demo class 
policy-map demo 

class afl 
explicit-—congestion-notificatio 
random-detect 

bandwidth 300 

set ip dscp 10 

exit 


policy: 
afl 


n 


To display the traffic statistics for a policy on an interface, use the following command: 


CLI> show policy-interface Atm 
Atm0O.1: output service policy d 
Class ‘ef': high priority 
bandwidth 80 kb/s, queue length 
mean input rate 74400 bits/s, 
packets output 4831, packets dr 
bytes output 1806794, bytes dro 
Class 'afl': medium priority 
bandwidth 300 kb/s, queue lengt 
mean input rate 298104 bits/s, 
packets output 6842, packets dr 
bytes output 9805313, bytes dro 
random early detection: 
explicit congestion notificatio 
min/max threshold 30/60, EWMA 6 
mean queue length 7, early drop 
Class 'class-default': medium p 
bandwidth 1620 kb/s, queue leng 
mean input rate 1887096 bits/s, 
packets output 23410, 
bytes output 35325224, 
Interface total: 
bandwidth 2000 kb/s 
mean input rate 2259600 bits/s, 
packets output 35084, 
bytes output 46937705, 





bytes dr 





To reset QoS related counters, use the following 


CLI> clear policy-interface [<t 


4.15.5 Debug and Trace 


To enable debugging IP QoS, use the following c 
CLI> debug ip qos 


packets dropped 3509 


packets dropped 3509 


0.1 
emo 


/limit 0/20 


mean output rate 74400 bits/s 


z 
© 


) 


(0 
(0% 


opped 0 ) 


pped 0 


6 


h/limit 6/60 

mean output rate 298104 bits/s 
opped 0 (0%) 
pped 0 (0% 


z 
© 


) 


oO 


n 
(1/64), mark probability 1/10 

s 0, tail drops 0 

riority 

th/limit 54/55 

mean output rate 1598376 bits/s 

(13%) 

opped 5298770 (13%) 


mean output rate 1972104 bits/s 
(9%) 


z 


© 


bytes dropped 5298770 (10%) 
command: 
ype> <unit>] [ { input | output } ] 


ommand in global mode: 


To disable debugging IP QoS, use the ‘no' form of the above-referenced command. 


4.15.6 Management Information Base (M 


1B) 


The DiffServ MIB, specified in RFC 3289, is supported, in read-only mode at present. 
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4.16 


4.16. 


4.16. 


POLICY BASED ROUTING 


Policy based routing can be defined as routing packets to outgoing path according to user-defined policy, 
which often makes use of criteria different from that used in the routing table. This section describes the 
main features of Policy Based Routing (PBR) and its configuration. 


1 Features 


By classical IP routing, input packets are forwarded to the outgoing interface with regard to its destination 
address contained in the IP header. The routing information is commonly specified in the routing table, on 
a network prefix/mask basis. This scheme works fine in most cases, but suffers from poor flexibility. For 
example, one may want to route critical traffic via a safer path than that used by other non-critical traffic. 


Policy based routing provides greater flexibility to meet a wide range of application requirements. It allows 
the selection of input traffic using a rich set of criteria, such as IP source address and destination address, 
DSCP or IP precedence value, and TCP/UDP ports. The selected traffic can be marked with a new DSCP 
or IP precedence value and can be forwarded to a specific next hop router or interface thereby bypassing 
the routing table. 


In common use, policy based routing can be used to provide the following services: 
e Link based traffic separation. 

e Application sensitive routing. 

e Protocol sensitive routing. 

e Source and/or destination based routing. 

e QoS based routing. 


For example, RTP voice traffic can be sent through a low delay and low loss link (or connection) whereas 
other traffic (such as HTTP, FTP) can be sent through an alternative link; or the traffic generated by a 
batch file transfer could be routed to a leased line, and the traffic issued elsewhere will be routed via an 
ISP network. 


Packets routed by policy based routing are fast forwarded such that the performance is at least as good as 
normal forwarding. Policy based routing is applied at the input interface after all inbound processing such 
as NAT, QoS, ACL if configured. PBR can also be applied for internally generated flows such as telnet or 
Voice over IP. All outbound processing configured at the output interface is also applied before sending 
the packet to the underlying data link. 


2 Configuration Commands 


Configuration of policy based routing is done in a very straightforward way. More specifically, similar to 
QoS policy-map, policy based routing makes use of class-map to select/classify traffic. Policy-route-map 
should be defined to specify the routes to use for each class type. Configuration of policy based routing 
can be divided into the following steps: 


e Create access lists to catch input traffic - optional. 

e Create class-maps to classify traffic into classes - required. 

e Create policy-route-map to specify policy routing - required. 

e Apply policy-route-map to input interface or to internal traffic - required. 


This section will focus on the configuration of policy-route-map. For the details on how to configure IP 
access lists and class-map, please refer to the sections regarding "IP Access Lists" and "IP Quality of 
Service". 
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4.16.2.1_ Creating a policy-route-map 


To create a policy-route-map, use the following command in global configuration mode: 

CLI (configure) > policy-route-map <policy-—name> 
This command, if successful, will enter into policy-route-map configuration mode. To delete a policy-route- 
map, use the 'no' form of the above command. 


A policy-route-map is a container of traffic classes associated with routing policy. User can add classes to 
a policy-route-map. A policy-route-map is never empty: the default class called 'class-default' is 
automatically added to a policy-route-map after creation. It matches any traffic, which does not match any 
user-defined class. 


4.16.2.2 Adding a class to a policy-route-map 
To add a class created by using a class-map to the policy-route-map, use the following command in policy- 
route-map configuration mode: 
CLI (config-prmap) > class <class-—name> 
This command, if successful, will enter into policy-route-map class configuration mode. To delete a class 
from the policy-route-map, use the 'no' form of the above command. 
To specify routing policy for the default class, use 'class-default' as class name. 


At run time, input traffic will be matched against each user-defined class in configuration order. Upon the 
first matching class, the associated actions (marking and/or routing) are applied. If no user-defined class 
matches the traffic, the actions associated with the default class are applied to the traffic. If no actions are 
associated with the default class, traffic will be passed to IP routing, that is, routed using the routing table. 


One or more actions can be associated with any user-defined class as well as the class class-default. 
Routing actions (by setting output interface or next hop) are applied after marking actions. 

4.16.2.3 DSCP Marking 
For each class in a policy-route-map, to set the DSCP value in the IP header, use the following command 
in policy-route-map class configuration mode: 


CLI (cfg-prmap-c)> set ip dscp <0-63> 


Or, to set the IP precedence value, use the following command: 


CLI (cfg-prmap-c)> set ip precedence <0-7> 


To remove such an action, use the 'no' form of the corresponding command. 
4.16.2.4 802.1p Tagging 


The 802.1p tag can be set with the next command: 


CLI (cfg-pmap-c)> set cos <0..7> 


Note that the 'set cos' statement overrides the default priority tagging activated on the interface. 
N.B.: 


e The'set cos ' statement only makes sense on an interface where dot1Q encapsulation is enabled or 
if the interface is dot11radio. 


e CoS value configured using a policy-route-map overwrites default CoS value configured under 
interface. 


e Setting 802.1p user priority bits on packets transmitted on a non-dot1Q interface or on an interface not 
configured to do dot1Q will not fail. The behavior depends on interface type: 


e Ondot1 radio, the VLAN is not present, no tagging is performed. Nevertheless, the information 
is used by the driver to prioritize outgoing traffic. 


e Onall interfaces, the command virtually set CoS on packets. 
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4.16.2.5 Virtual QoS Group Marking 


It is possible to internally mark a traffic class. This is useful to perform other QoS processing such as traffic 
policing and scheduling at output interface by using the qos-group as filtering criteria. To set a QoS 
group value to a class, use the following command in policy-route-map class configuration mode: 


CLI (cfg-prmap-c) > set qos-group <0-99> 
To remove such an action, use the 'no' form of the above command. 
4.16.2.6 CLP Marking 


For each class in a policy-route-map, to set ATM CLP bit to 1 (used when output to ATM interface), use 
the following command in policy-route-map class configuration mode: 


CLI (cfg-prmap-c)> set atm-clp 


To remove such an action, use the 'no' form of the above command. 


4.16.2.7_ FR DE Marking 


Alternatively, the DE bit of every packet matching the policy class map can be marked: 


CLI (cfg-prmap-c)> set fr-de 
4.16.2.8 Setting Output Path 


Output path is specified either by output interface or next hop. To set the output interface or next hop 
address for a class, use the following commands in policy-route-map class configuration mode: 


CLI (cfg-prmap-c)> set interface <type> <unit> 





CLI (cfg-prmap-c)> set ip next—-hop <ip-address> 


Multiple output interfaces or next hops can be set for each class (by entering the same command multiple 
times). If output interface is used, that implies that the destination network is either directly connected or 
the interface is a point-to-point interface. In other cases, next hop should be used instead. 


At run time, the specified output paths are checked in configuration order. Upon the first path which has its 
status UP, traffic matching this class will be sent out through it. If none of the specified output paths is UP, 
the traffic will be handed to IP routing, that is, routed using the routing table. 


Therefore to provide backup route for the traffic, user can either set multiple output paths or use normal IP 
routing. If the traffic is highly critical, user may want it to arrive at its destination through a secure path or 
not at all. In that case, to forbid the traffic going out via normal routes (by IP routing) when the preferred 
path is down, the following commands can be used for example: 


CLI (cfg-prmap-c)> set interface atm 0.1 





CLI (cfg-prmap-c)> set interface null 0 


In this way, when the interface ATM 0.1 goes down, traffic will be dropped. 


To remove such an action, use the 'no' form of the corresponding command. 
4.16.2.9 Attaching a policy-route-map to an Interface 


Policy routing is applied to input interfaces. To attach a policy-route-map created earlier to an input 
interface, use the following command in interface configuration mode: 

CLI (config-if)> ip policy-routing <routemap> 
<routemap> is the name of policy-route-map. The same policy-route-map can be attached to multiple 
interfaces. 


To disable policy routing on an interface: use the 'no' form of the above command. 
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4.16.2.10 Attaching a policy-route-map to internally generated traffic 


To apply a policy-route-map to traffic generated by the router, use the following command in global 
configuration mode: 


CLI (configure)> [no] ip local policy-route-map <routemap> 


4.16.3 Configuration Example 


4.16.3.1 


Flow separation 


In the following example, it is intended to route real-time traffic through a serial line, flow-controlled traffic 
(TCP) through interface ATM 0.1, and non flow-controlled traffic (UDP, ICMP, etc.) through a different 
interface ATM 0.2. 


RTP traffic is classified into the class called rtp; all TCP traffic into the class t cp-flows. A policy-route- 
map, namely routemap1, is created which includes the class rtp, the class tcp-flows, the class class- 
default (non flow-controlled traffic). Here RTP flows are either routed through the serial line or not at all 
(dropped if the serial line is down). But for TCP and default flows, if the corresponding output interface 


goes down, they will be handed to IP routing. 


Here is the configuration script: 


4.16.3.2 


ip access-list tcp-acl 


permit tcp 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 


exit 


class-map rtp 
match ip rtp 10000 2000 
exit 


class-map tcp-flows 
match access-group tcp-acl 
exit 


policy-route-map routemap1 
class rtp 

set interface serial 0.1 
set interface null 0 
exit 

class tcp-flows 

set interface atm 0.1 
exit 

class class-—default 

set interface atm 0.2 
exit 

exit 


interface FastEthernet 0/0 
ip policy-routing routemap1 
exit 


Internal Flow Marking 


This example shows how to mark all packets generated by the router. This can be useful when you classify 
packets at the output based on the DSCP value to apply a specific QoS: you only need to mark internal 


flows to force the corresponding packets to be queued in a specific CoS. 


class-map internal_flows 
match any 
exit 


policy-route-map mark_internal_flows 


class internal_flows 
set dscp 44 
exit 
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exit 
ip local policy-route-map mark_internal_flows 


4.16.4 Statistics 


To display the policy route configuration, use the following command: 


CLI> show policy-route-map 


To display statistics about the policy routing, use the following command: 


CLI> show policy-route-interface 


4.16.5 Debug and Trace 


To enable IP interface debugging, use the following command: 


CLI> debug ip interface 


To disable IP interface debugging, use the 'no' form of the above command. 
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4.17 


4.17. 


4.17.2. 


4.17.2. 


DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) 


This section describes the main features of the Dynamic Host Configuration Protocol (DHCP) client-server, 
and relay, and their configuration. 


.1 Features 


The DHCP protocol is intended to supply configuration parameters to hosts as part of their start-up 
procedure. The DHCP protocol provides a mechanism to assign network addresses to hosts. DHCP hosts 
are dynamically configured, thus allowing considerable reduction of the work usually done by the 
administrator. 


DHCP is built on a client-server model, where the server allocates the network addresses to clients upon 
requests. In addition, DHCP is often used to deliver other configuration parameters to clients, such as DNS 
server(s) and the default router. 


In DHCP, the parameters transferred from a server to clients are called options. The most frequently used 
option is IP address. 


DHCP provides three methods to assign an IP address to a client: 


e Automatic allocation: DHCP assigns a permanent IP address to a client (for an infinite period of 
time). 


e Dynamic allocation: DHCP allocates an IP address to a given client for a limited period of time. 


e Manual allocation: A client's IP address is assigned by the administrator, and DHCP is used 
simply to convey the assigned address to that client. 


The DHCP protocol is described in RFC 2131. DHCP is an extension of the BOOTP protocol. Being the 
case, BOOTP clients are interoperable with DHCP server. 


The maximum number of addresses that can be managed by the DHCP server is 1024 (or higher 
according to the version). 


Additionally, DHCP relay service enables DHCP clients to reach DHCP servers located in other network 
segments. DHCP relay forwards client-originated DHCP packets to a DHCP server, and vice-versa. The 
DHCP relay service is described in RFC 3046. 


2 Configuration Commands 
The configuration of DHCP can be divided into three steps. Users can complete one or all of the steps 
according to their specific requirements: 
e Configuring DHCP Client 
e Configuring DHCP Server 
e Configuring DHCP Relay 
The DHCP client is configurable on all interfaces of OneOS-based routers, including WAN interfaces. It 
provides the ability to retrieve configuration data of a router. 
1 DHCP Client 
1.1. Configuring DHCP Client on Ethernet Interfaces 
To obtain an IP address on Ethernet or FastEthernet interface from a DHCP server, use the following 


command: 


CLI (configure)> interface { Ethernet | FastEthernet } <unit> 
CLI (config-if)> ip address dhcp [hostname <hostname>] [client-id <cliid>] 
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CLI (config-if)> exit 


When the optional client-id argument is not present, the DHCP DISCOVER message uses the MAC 
address of the interface otherwise if present it uses the client—id string value. 


To disable the DHCP client, use the following command: 


CLI (config-if)> no ip address dhcp 
4.17.2.1.2 Configuring a DHCP Client on another interface 


To obtain an IP address (as well as autoconfiguration parameters) on another interface (BVI, ATM, etc.) 
from a DHCP server, use the following command in interface configuration mode: 


CLI (config-if)> ip address dhcp client-id [fastethernet 


<module>/<port>.<sub-interface> | ethernet <port>.<sub-interface>] 


The optional argument indicates which MAC address shall be used in the DHCP DISCOVER message. 
The DHCP message is an IP datagram unless bridging is enabled (then, the DHCP message is a MAC 
frame). 


To include the option 60 within the DISCOVER messages and to append a proprietary vendor-ID string, 
use the following command in global configuration mode: 


CLI (configure)> ip dhep vendorid <vendorid> 
<vendorid> within DHCP message will be made up of the specified string and the OneOS version name, 


separated by the "-" character. In order not to include the option #60, use the no form of the above 
referenced configuration command. 


4.17.2.1.3. DHCP Client Options 


When OneOS sends DHCP requests, it might be desirable to define some DHCP options. Option 51 
(DHCP lease) is sent by default; the command not to send this option is (under interface configuration 
mode): 


CLI (config-if)> [no] ip dhcp client lease-opt-less 
A DHCP client may ignore the default route learnt via DHCP protocol; this function is useful if multiple 
interfaces are DHCP clients, but only one interface must be able to get the default route: 

CLI (config-if)> [no] ip dhcp client ignore-default-route 
To set the Class ID ASCII string (DHCP option 60), the following command must be used in global 
configuration mode: 

CLI (configure)> ip dhep vendorid <vendor-id> standard 
The vendor ID can be configured with another command syntax, whereby the option 60 concatenates 
<vendor-id> and the OneOS version name. Command syntax in global configuration mode: 

CLI (configure)> ip dhcp vendorid <vendor-id> 
The DHCP option 77 (called User-Class) is an ASCII string that is set on the DHCP client. The DHCP 


server may match this option to select appropriate option values in the DHCP responses. The option is set 
as follows in interface configuration mode: 


CLI(config-if)> [no] ip dhcp client user-class-id <user-class-—id> 


The next command turns on/off the broadcast flag in DHCP Of fer/Ack message, so that the server is 
made aware if the DHCP packets are unicast or broadcast. 


CLI (configure)> [no] ip dhcp client broadcast-—flag 
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4.17.2.2_ Configuring DHCP Server 
4.17.2.2.1 Configuring a Database Agent 


A database agent is a host that stores the DHCP binding database of the server. This is useful to restore 
the state after reboot. It is possible to configure the interval time between database updates (optional). 


To configure a database agent, use the following command in global configuration mode: 


CLI (configure)> ip dhcp database <url> [<update-interval>] 


An example URL is ftp:/ /Uusername:password@10.1.2.38/dhcp/server/database. 


By default, the interval to update database is 600 seconds. 
To delete a database agent, use the following command in global configuration mode: 


CLI (configure)> no ip dhcp database 
4.17.2.2.2 Creating an Address Pool 


The DHCP address pool contains IP addresses and other configuration parameters. The pool is used by 
the server to provide addresses to the clients. To create a DHCP address pool, use the following 
command in global configuration mode: 


CLI (configure)> ip dhcp pool <pool-name> 
By entering this command the user enters the DHCP configuration mode. A number of commands are 
available to manipulate the address pool. 
To remove the address pool, use the following command: 


CLI (configure)> no ip dhep pool <pool-name> 
4.17.2.2.3. Using IPCP to add Addresses to the Pool 


The address pool can be automatically created using the address and the mask retrieved by IPCP (needs 
"ipcp mask-request" and “ip unnumbered <interface>" commands under PPP), use the 
following command: 


CLI (dhcp-config)> origin ipcp 
In order to have this pool used by the DHCP server on <interface>, use the following command in sub- 
interface configuration mode to link the <pool-name> to the <interface>: 

CLI (configure)> interface <interface> 


CLI (config-if)> ip address pool <pool-name> 


Once the IP address range is configured, one can configure other DHCP options associated with this pool, 
such as DNS Server, default router, etc. 


4.17.2.2.4 Adding Addresses to the Pool 


To add addresses to the pool, use the following command in DHCP configuration mode: 

CLI (dhcp-config)> network <ip-address> <netmask> 
Once the IP address range is configured, one can configure other DHCP options associated with this pool, 
such as DNS Server, default router, etc. 


The netmask parameter is used to configure the number of addresses in the pool from <ip- 
address>. For example, ‘network 10.10.10.18 255.255.255.248' creates a pool from 
10.10.10.18 up to 10.10.10.25. 


The network mask provided to DHCP clients is the network mask configured on the interface where the 
DHCP server is directly connected. To specify a different network mask, use the netmask command. 


To remove addresses from the pool, use the 'no' form of the above-referenced command. 
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4.17.2.2.5 Excluding Addresses 


To exclude one or more IP addresses (for example, the interface address or other manually assigned 
addresses) to be assigned by the server, using the following command in global configuration mode: 


CLI (configure)> ip dhcp excluded-address <ip-address> [<ip-address>] 
If two addresses are entered with this command, the range of IP addresses is excluded. To remove 
several non-consecutive IP addresses, use the 'ip dhcp excluded-address <ip-address>' 


command several times. To remove excluded IP addresses, use the 'no' form of the above-referenced 
command. 


4.17.2.2.6 Configuring a Manual Binding 


To configure a manual binding, first enter in DHCP configuration mode: 


CLI (configure)> ip dhcp pool <pool-name> 


To create a manual binding between IP address and hardware address, use the following command: 


CLI (dhcp-config)> host <ip-address> 
CLI (dhcp-config)> hardware-address <MAC-address> ethernet 








The MAC address is in a format such as: '00:80:DE:AD:BE:EF'. Following the above-referenced 
commands, one can also set other DHCP options associated with the host; client name, hostname, etc. 














Alternatively, a binding may be declared without using the ‘hardware-address ... command if the client- 
identifier command is used: 


CLI (dhcp-config)> host <ip-address> 
CLI (dhcp-config) > client-identifier <string> 





To remove the manual binding or an option in a manual binding, use the 'no' form of the corresponding 
command. 


4.17.2.2.7 Configuring a Network Mask 


To configure the network mask, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> netmask <netmask> 


To restore the default network mask, use the following command in DHCP configuration mode: 





CLI (dhcp-config)> no netmask 
4.17.2.2.8 Configuring DHCP Server Option — Boot File 


To set a boot file name, use the following command in DHCP configuration mode: 


CLI (dhcp-config) > boot-file <filename> 
To remove the boot file name, use the 'no' form of the above-referenced command. 
4.17.2.2.9 Configuring DHCP Server Option — Client Identifier 


To set a client identifier, use the following command in DHCP configuration mode: 


CLI (dhcp-config) > client-identifier <tp:aa.bb.cc.dd.ee.ff> 


All values are given in hexadecimal with tp being the client type; for example: 01 for Ethernet type. 


To remove the client identifier, use the 'no' form of the above-referenced command. 
4.17.2.2.10 Configuring DHCP Server Option — Client Name 


To set a client name, use the following command in DHCP configuration mode: 
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CLI (dhcp-config)> client-name <hostname> 


To remove the client name, use the 'no' form of the above-referenced command. 
4.17.2.2.11 Configuring DHCP Server Option — Default Router 


To set a default router, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> default-router <ip-address> [ip-address] [ip-address] 


To remove the default router, use the 'no' form of the above-referenced command. 
4.17.2.2.12 Configuring DHCP Server Option — DNS Server 


To set DNS servers, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> dns-server <ip-address> [ip-address] [ip-address] 


To remove the DNS server, use the 'no' form of the above-referenced command. 
4.17.2.2.13 Configuring DHCP Server Option - Domain Name 


To set the domain name, use the following command in DHCP configuration mode: 


CLI (dhcp-config) > domain-name <name-string> 


To remove the domain name, use the 'no' form of the above-referenced command. 
4.17.2.2.14 Configuring DHCP Server Option — Lease Time 


The lease time is the time during which the address allocated to a DHCP client remains valid. After the 
lease time, the DHCP client must renew its address. To set the address lease time, use one of the two 
following commands in DHCP configuration mode: 


CLI (dhcp-config)> lease <days hours minutes> 





CLI (dhcp-config)> lease infinite 


The default lease time is 24 hours. To return to the default value, use the 'no' form of the above-referenced 
command. 


4.17.2.2.15 Configuring DHCP Server Option — NetBIOS Name Server 


To set NetBIOS (WINS) name servers, use the following command in DHCP configuration mode: 


CLI (dhcp-config) > netbios-name-server <ip-address> [ip-address] 


To remove the name server, use the 'no' form of the above referenced command. 
4.17.2.2.16 Configuring DHCP Server Option — NetBIOS Node Type 


To set the NetBIOS (WINS) node type, use the following command in DHCP configuration mode: 
CLI (dhcp-config) > netbios-node-type { b-node | h-node | m-node | p-node } 


To remove the node type, use the 'no' form of the above-referenced command. 
4.17.2.2.17 Configuring DHCP Server Option — Class ID 


The following option adds a rule in the DHCP server to match the option 60 (Class ID). A DHCP client 
must include the option 60 that matches the value configured under the DHCP pool so that the DHCP 
server uses that pool to respond. In case several matching rules are defined, all rules must be matched. 


The Class ID is set as follows under DHCP pool configuration: 
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CLI (dhcp-config) > class-id <ascii-string> 


To remove the Class ID option: 





CLI (dhcp-config)> no class-id 
4.17.2.2.18 Configuring DHCP Server Option — User-Class 


The following option adds a rule in the DHCP server to match the option 77 (User-Class). A DHCP client 
must include the option 77 that matches the value configured under the DHCP pool so that the DHCP 
server uses that pool to respond. In case several matching rules are defined, all rules must be matched. 


The User-Class is set as follows under DHCP pool configuration: 


CLI (dhcp-config) > user-class-id <ascii-string> 


To remove the User-Class option: 





CLI (dhcp-config)> no user-class-id 
4.17.2.2.19 Configuring DHCP Server Option — Raw Option 


It is very likely that some options (such as vendor extensions or standard options to be defined in the 
future) are not covered by the above-referenced commands. Additional options can be set using the option 
code. 


To set a raw option of type ASCII string, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> option ascii <code> <ascii-string> 


To set a raw option of type IP address, use the following command in DHCP configuration mode: 





CLI (dhcp-config)> option ip <code> <ip-address> 


To set a raw option of type decimal number, use the following command in DHCP configuration mode: 





CLI (dhcp-config)> option decimal <code> <decimal-number> 


To set a raw option of type hexadecimal number, use the following command in DHCP configuration mode: 








CLI (dhcp-config)> option hex <code> <hexadecimal-number> 


To remove one of the options above, use the 'no' form of the corresponding command. 
4.17.2.2.20 AZR Features 


AZR refers to Access Zone Router and designates a router, which manages certain features, especially 
required for WLAN applications: 


e Secure ARP table: the DHCP server maintains the binding database mapping MAC addresses with 
IP addresses. The server initializes the ARP table and deletes ARP entries when the lease time of an 
address expired or when the WLAN station is no more detected (see ARP ping). The secure ARP 
process prevents IP spoofing. In this mode, the ARP table cannot be updated by any other processes 
than the DHCP server (implicit authorized ARP mode). 


e DHCP session accounting: permits to send a start/stop signal to a RADIUS server, when a user 
gets/releases its IP address. Logging off means that the stations was no more detected or explicitly 
released through DHCP its address. This feature can provide basic functions enabling accounting and 
billing of a WLAN connection. Be aware that the accounting start message is only sent to the RADIUS 
server if the WLAN stations are bound to the DHCP server after that the DHCP session accounting 
command are entered. If you wish to restart accounting for all stations, use the 'clear ip dhcp 
binding *' command. 


e Dead stations detection (a.k.a. ARP ping): this feature scans periodically every station in the DHCP 
binding database and cleans the DHCP binding of a WLAN station not responding. 


Secure ARP is enabled by activating the 'update arp' command under the DHCP server pool: 


CLI (configure)> ip dhep pool <pool-name> 
CLI (dhcp-config)> update arp 
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To disable secure ARP: 


CLI (dhcp-config)> no update arp 


If ARP ping is enabled, all the IP addresses in the DHCP binding database are checked every 10 seconds. 
This check sends out ARP requests asking ‘Who has this IP?”. If the same MAC address replies to the 
ARP request, the corresponding entry can stay in the DHCP binding database. If no station replies or 
replies with the wrong MAC address (IP spoofing), the entry is released from the DHCP database (and 
from the ARP table if'update arp' was entered). To activate the ARP ping: 


CLI (configure)> ip dhcp pool <pool-name> 
CLI (dhcp-config)> arp ping [<number>] 





By default, the server sends 10 ARP requests with a timeout of 0.5 seconds. If no valid reply is retrieved 
after the timeout of the last requests, the binding is considered no more valid. To disable ARP ping: 


CLI (dhcp-config)> no arp ping 
To activate DHCP session accounting, you must first configure an AAA group made up of some RADIUS 


servers (only). The next'aaa accounting’ command activates the accounting service <acc-service>. 
Then the accounting service is referred under the DHCP server pool. 


Q 


LI 
LI 
LI 


configure)> radius-server <ip-1> <key> 

Cc configure)> radius-server <ip-2> <key> 

Cc configure)> aaa group server radius <radius-—svr-group> 
CLI (config-sg-radius)> server <ip-1> 

CLI (config-sg-radius)> server <ip-2> 

CLI (config-sg-radius)> exit 
Cc 

< 

C 

Cc 


LI(configure)> aaa accounting network <acc-service> start-stop group 
radius-svr-group> 

LI(configure)> ip dhep pool <pool-name> 

LI (dhcp-config)> accounting <acc-service> 





To deactivate DHCP accounting: 


CLI (configure)> no aaa accounting network <acc-service> start-stop group 
<radius-—svr-group> 

CLI (configure)> ip dhcp pool <pool-name> 

CLI (dhcp-config)> no accounting 





4.17.2.2.21 Clearing Automatic Binding Address 


To delete an automatic address binding from the server database, use the following command: 


CLI> clear ip dhcp binding { <ip-address> | * } 


*: clear all automatic binding. 
4.17.2.3, Configuring DHCP Relay Addresses 


If the DHCP Server works together with a DHCP relay, the IP address of the relay is to be specified using 
the following command in global configuration mode: 


CLI (configure)> ip dhcp relay dhcp-relay <ip-address> <netmask> 


To disable the interaction with a DHCP relay, use the ‘no' form of the above-referenced command: 





CLI (configure)> no ip dhcp relay dhcp-relay 


The 'smart relay' function enables to use the secondary addresses in the 'giaddr' field when the 
server does not respond with a DHCPOFFER packet. To activate this feature, use: 


CLI (configure)> [no] ip dhcp smart-relay 
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4.17.2.3.1 Configuring DHCP Relay 


If the router works as a DHCP relay, the IP address of DHCP server has to be specified using the following 
command in global configuration mode: 


CLI (configure)> ip dhcp relay dhcp-server <ip-address> 


To disable DHCP Relay, use the ‘no' form of the above-referenced command: 





CLI (configure)> no ip dhcp relay dhcp-server 
The above configuration commands relay incoming DHCP requests from any interface to the server. In 
order to relay requests coming only from one interface, the following command must be preferred: 

CLI (configure)> interface <type> <unit> 

CLI (config-if)> [no] ip helper address <A.B.C.D> 
If a helper address is configured, DHCP relay (configured by the 'ip dhcp relay dhcp-server <ip>' 
comman4q) is disabled. 
To allow the DHCP relay to insert option 82 (disabled by default): 


CLI (configure)> [no] ip dhcp relay information option 


To allow the DHCP relay to insert the option 82.6 (disabled by default): 


CLI (configure)> [no] ip dhcp relay information option subscriber-id 
<string> 


4.17.3 Device Association 


Device association is a set of functions so that the OneOS DHCP server detects LAN devices by means of 
certain DHCP options and applies specific processing. The following functions are implemented: 


e TR-111 association: the DHCP option 125 (and associated sub-options) is used so that the LAN 
device and gateway exchange their identity. The gateway / LAN device identities are then used within 
the CWMP (TR-69) protocol. 


e Secure association: the DHCP option 43 is used. As specified by RFC 2132, the option 43 is a 
“vendor extension” that OneAccess uses to implement a proprietary protocol. This protocol is a 4-way 
handshake protocol such that an OneOS DHCP server securely identifies a remote OneAccess device 
and exchanges encrypted information. The secure association is notably used for the HTTP proxy. 
The HTTP proxy takes incoming HTTP requests and forwards them to the associated LAN device if 
needed. 


To show association statistics and to debug association, use the following commands: 


CLI> show association {cwmp | secured-association} 
CLI> debug association {cwmp | secured-association | proxy—-http} 


4.17.4 Configuration Examples 
4.17.4.1_ DHCP Client 


Suppose that the address of Ethernet interface in the following figure is obtained through DHCP. This can 
be done using the following configuration commands: 


interface ethernet 0/0 
ip address dhcp 
exit 


4.17.4.2_ DHCP Server 


The following configuration example of the DHCP server will describe how to configure a DHCP address 
pool, a manual binding, and how to exclude IP addresses. 


In this example, the private network uses the private address space 192.168.2.0. The hosts need a DNS 
server and a default router to reach the public network - the Internet. 


A database agent is used to store the binding database. The file transport protocol is TFTP. The TFTP 
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server IP address is 192.168.2.133, the database is named "database-binding" and the interval time 
between updates is 60 seconds. 


The primary DNS server address is 193.253.180.3, the secondary DNS server address is 193.253.180.4. 
The default router address is 192.168.2.20, which is the interface address of the router. 


a 


192.168.2.4/24 
00:80:00:DE:4C:5F 
hostname: alice 












































Private 
Network 
192.168.2.0 


The configuration is written using the following commands: 


ip dhcp database tftp://192.168.2.133/database-binding 60 
ip dhcp pool server_pool 

network 192.168.2.0 255.255.255.0 
dns-server 193.253.180.3 193.253.180.4 
default-router 192.168.2.20 

exit 

ip dhcp excluded-address 192.168.2.20 

ip dhcp pool alice 

host 192.168.2.4 

hardware-address 00:80:00:DE:4C:5F ethernet 
client-name alice 

exit 


4.17.4.3| DHCP Relay 
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DHCP Server 


192.168.2.4/24 192.178.10.43 


00:80:00:DE:4C:5F 
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The script to use is as follows: 
ip dhcp relay dhcp-server 192.178.10.43 


Note that at the DHCP relay, the DHCP server could be connected directly or indirectly through an 
interface other than Ethernet, such as ATM. 


4.17.5 Statistics 


Use the following command to display DHCP Server, Client and Relay statistics: 


CLI> show ip dhcp statistic 


Use the following command to reset DHCP Server and Relay statistics: 


CLI> clear ip dhcp statistic 


Use the following command to display the resources available: 





CLI> show ip dhcp server pool 


Use the following command to display DHCP binding database: 





CLI> show ip dhcp binding [ip-address] 


Use the following command to display database agent information: 


CLI> show ip dhcp database 
4.17.6 Debug and Trace 


To enable debugging for the DHCP Server, Client and Relay, use the following command in global mode: 
CLI> debug ip dhcp 


To disable debugging for the DHCP Server, Client and Relay, use the ‘no' form of the above-referenced 
command. 
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4.18 DYNAMIC DNS CLIENT 


This section describes the main features of the Dynamic Domain Name Server and its configuration. 
4.18.1 Features 


DynDNS is a set of protocols that enable to submit changes of public IP addresses to a provider of domain 
names. A DynDNS client tells the name provider that an IP address provided by an ISP changed for a 
given name. The name provider can update the DNS database. This feature is useful when a server/router 
must be reached via a fixed identifier: since its IP address is due to change quite often, the router/server is 
contacted using its FQDN managed via DynDNS (FQDN: Fully Qualified Domain Name, in the form of 
<name>.<domain>.<extension> - like foo.domain.com -). 


Examples: 
e Web server connected via a standard ISP connection 


e Router with IPsec tunnels: the IKE session establishment is done with the IKE peer by 
resolving the peer FQDN (N.B.: only possible when using the IKE aggressive mode) 


e Router with GRE or IP-IP tunnels 


OneOS sends an update to the DynDNS server when an interface with a public IP address goes UP. A 
public IP address is an IP address that is NOT in the following ranges: 


e §=610.0.0.0 - 10.255.255.255 
e §=172.16.0.0 - 172.31.255.255 
e §=192.168.0.0 - 192.168.255.255 


Typically, when using a PPP over ADSL connection, the service provider assigns a temporary public IP 
address to your router (class A or B addresses). This IP address will be advertised by OneOS. If the 
OneOS-based router does not have any public IP address, no DynDNS update is sent. 


4.18.2 Configuration 


To exchange information with the name provider, it is compulsory that the router be authenticated by a 
username/password configurable on the command line. Use the following configuration command line to 
configure a username/password: 


CLI (configure)> ip dyndns username <username> <password> 


Use the ‘no’ form of the above command, to remove authentication: 

CLI (configure)> no ip dyndns username 
Provider of domain names can host several domain names. Depending of the capability of the provider, it 
is possible to configure up to three different domain names. Use the following configuration command line: 


CLI (configure)> ip dyndns hosting <namel> [<name2> [<name3>]] 


Use the ‘no’ form of the above command to remove hosting configuration: 
CLI (configure)> no ip dyndns hosting 
It is possible to enable access to several hosts other than router itself by using wildcard command. For 


example, ftp server can be accessible by using host name ftp.foo.com. Use the following configuration 
command line: 


CLI (configure)> ip dyndns wildcard { on | off } 


OneOS supports three DynDNS providers. Those providers are selected by using following command line. 
To use dyndns.org DNS support, use the following command line, with optional parameters depending on 
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kind of use: dynamic is intended for frequent IP address changes (standard cases with ISP), whereas 
static and custom modes correspond to more advanced DynDNS service subscription. 


CLI (configure)> ip dyndns dyndns [ dynamic | static | custom] 


To use eurodns.org DNS support, use the following command line: 


CLI (configure)> ip dyndns eurodyndns [ dynamic | static | custom] 


To use no_ip.com support, use the following command line: 


CLI (configure)> ip dyndns no-ip 
Use the no form of the above command, to remove provider reference: 
CLI (configure)> no ip dyndns 


4.18.3 Show 


To display statistics about DynDNS configuration, use the following command line: 


CLI> show ip dyndns 
DynDns service dyndns 

User oneaccess, password secret 

host used is oneaccess.dyndns.org 

updates 0, errors server 0, authentification 0, system 0 


4.18.4 Debug and Trace 


To enable DynDNS debugging, use the following command: 


CLI> debug ip dyndns 


CLI> no debug ip dyndns 
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4.19 


4.19. 


AUTO-UPDATE 


1 Introduction 


This section describes the auto-update features of OneOS. 


Auto-update enables to automatically acquire configuration parameters and update software/web 
Configurator or any file stored in OneOS-based router flash file system. 


The objective of such function is primarily to optimize deployment and maintenance costs of a large 
installed base of routers. This function is the cornerstone to realize zero-touch service activation. 


Note that this function is an alternative to another OneOS feature called ‘autoconfiguration’ (see section 
4.21). Autoconfiguration uses DHCP, TFTP and FTP protocols whereas auto-update uses HTTP. 
Autoconfiguration and auto-update are mutually exclusive. The advantages of auto-update are: easier to 
implement (no firewall issues caused by DHCP) and more open for web Configurator upgrade. 


Auto-Update Sequencer 


The auto-update sequencer is a state machine managing the execution of auto-update jobs. Auto-update 
jobs can be: 


e Single file update 

e Update of a set of files via TAR archive download and extraction 

e Software update 

e Configuration update 

The sequencer starts the auto-update operation further to auto-update triggers, namely: 
e The user entered an auto-update command requesting the start of auto-update 

e A monitored interface went up 

e The auto-update periodic timer elapsed 


Further to a trigger, the auto-update sequence is started. It means that the sequencer initiates each update 
job sequentially (they are ordered with a sequence ID). When done, the sequencer examines the returned 
job execution status (can be “update successful’, “no error, no update”, and “failure”). For every job, the 
sequencer is informed (per configuration) of the next step to execute depending on the returned status 
(can be “stop auto-update sequence”, “continue”, “reboot”). When every job is executed, the sequencer 
looks if there was at least one update. If one update happened, a configuration parameter indicates if the 
router shall reboot or not. 


The auto-update sequencer state machine is represented hereafter: 
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sequenceid:=1 
start_update_job(sequenceid) 













job_status=last_update_job_status() 
next=get_next_job(job_status,sequenceid) 


Reboot 
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Yes => reboot 
"reboot"? > 






Must reboot in case of 
at least one update 









All Jobs completed? 





No (next=continue) 






sequenceid:=sequenceid+1 
start_update_job(sequenceid) 








Software Update 


Before downloading the OneOS software, the router queries the software version that should be used. This 
current OneOS version is compared with running version indicated by the ‘show version’ command. If it is 
different from OneOS version in server, the OneOS file is downloaded. After download, software integrity is 
checked. If the check is passed, the new OneOS replaces the current OneOS in flash. 


Configuration Update 


Before downloading the configuration, the router may query the configuration index (a kind of version for 
the configuration, optional in the configuration). If the router does not query the configuration index, the 
configuration file is downloaded directly and compared with the configuration download during the last 
auto-update sequence. If they are different, OneOS continues configuration update. 


This current configuration index is saved in router flash. If it is different from configuration version in server, 
the configuration file is downloaded. 


After configuration download, two behaviors are possible: 


e Execute the configuration. If no error in execution is detected, the upgrade is considered successful. If 
successful, the running version is saved. If not successful, the router saves the configuration index in 
flash and reboots. 


e The configuration index is saved in flash. The router replaces the current configuration with the new 
one and reboots. 


TAR File Update 


Before downloading the TAR, the router queries a TAR index (a kind of TAR file version). The current 
index is saved in router flash. If it is different from TAR index on server, the TAR file is downloaded and 
extracted. The TAR file update is needed when many files needs to be updated. 
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Contents on HTTP Server 

e Configuration index: integer positive number (1-65535). 

e Configuration: content of a text configuration file (carriage return is \n or \r\n). 

e OneOS: content of the * .22z binary file (example: ONEOS4-VOIP_SIP-V3.7R11E15.ZZZ). 


e OneOS index: exact version name, as displayed by show version. Example: ONEOS4-VOIP_SIP- 
V3.7R11E15 (1-32 characters). 


e TAR index: integer positive number (1-65535). 
e TAR file: valid TAR file. 


4.19.2 Configuration 


To start configuring auto-update, enter in global configuration terminal and enter the auto-update 
configuration data: 


CLI> configure terminal 


CLI (configure)> [no] auto-update 


Then, the auto-update sequence trigger must be defined. It can be a periodic timer or the ‘UP’ event of a 
monitored interface. Triggers are not exclusive with each other. 





CLI (auto-update) > trigger daily-restart-timer <StartHour> <EndHour> 
[<days>] 
CLI (auto-update) > trigger monitored-interface <type> <unit> [delayed- 
start <seconds>] 


The daily restart timer schedules a trigger in <days> days within a random hour between <StartHour> 
and <StopHour>. For example, ‘trigger daily-restart-timer 01:00:00 02:30:00 2' 
schedules a trigger between 1:00 and 2:30 every two days. 


One monitored interface can be configured with configurable timer (by default: no delayed-start 
timer). Example: 'trigger monitored-interface atm 0.1’. 


To remove the triggers: 


CLI (auto-update) > no trigger daily-restart-timer 
CLI (auto-update) > no trigger monitored-interface <type> <unit> 


If a trigger happens too quickly, auto-update ignores it. In other words, as long as a min-interval timer has 
not expired, the trigger events do not start the update sequence. By default, the timer is 30 minutes long 
and can be set as follows: 


CLI (auto-update) > min-interval <minutes> 


After completing the update sequence, you may force auto-update to reboot the router or not in the event 
one successful update occurred. If at least one update happened at the end of the sequence, the router 
reboots by default. By choosing stop, the router will not reboot and just wait for next trigger. 


CLI (auto-update) > on any-update { reboot | stop } 


Auto-update packets take as source address the IP address of outgoing interface, but it can be forced: 


CLI (auto-update)> { source-interface <intf> <unit> | no source-interface} 


The HTTP server may return different data (e.g. a different configuration file), when querying the same 
URL from different routers. In order to discriminate the GET requests from the different routers, every 
router can insert extra GET parameters. For example, it can query the following URL: 
http://server/version.php?ppplogin=value&mac=00:A0:FE:12:B8:59&firmware=xxxx&s 
erial=xxxxx&cpe_version=xxxxxé&cpe_type=xxxxxéhardware=onel00éevent=1é faultCode 
=0. In order to insert this parameter list (ppp login=valueémac=00:A0:FE:12:B8:59...), the next 
command is needed: 











CLI (auto-update)> [no] http-get-extra-parameters 1 
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The fault Code parameter in the above mentioned URL can have the following values: 
e 0: no error during the last auto-update, or just initial boot 

e 1: download of software index has failed 

e 2: download of software has failed 

e 3: the downloaded software did not pass the integrity check 

e 4:not enough space on the flash to terminate the software download 

e 10: download of configuration index has failed 

e 11: download of configuration has failed 


e 12: the downloaded configuration execution has failed 


Software Update 


To allow software update enter the next command, where <sequence-id> is the step for the auto-update 
sequencer. The sequence number is intended to configure if software update must be done before or after 
configuration update. To enter the URL for software and software (index) version: 


CLI (auto-update) > software-update <sequence-id> 
CLI (sw-update)> index-url http://<path>/<software-version> [current-sw- 
version <suffix>] 
CLI (sw-update)> url http://<path>/<software-version> [current-—sw-version 
<suffix>] 


If the current-sw-version parameter is present, the URL is a concatenated string from URL + running 
software name (such as ONEOS4-VOIP_SIP-V3.7R11E15) + the <suffix>. 


Before replacing the running software image file by the new one, auto-update saves the new OneOS 
under a temporary file. If it is valid, the temporary file replaces the running OneOS; and the running 
OneOS is saved as a backup image in flash. The back filename is by _ default: 
flash://BSA/binaries/OneOs.old. To use another name: 


CLI (sw-update)> backup-software <path/filename> 


If the software is successfully updated, by default, the auto-update sequence continues; but the behavior 
can be changed as follows: 


CLI (sw-update) > on update-success {continue|stop|reboot} 


If an error occurs during software update, by default, the auto-update sequence stops and wait for next 
trigger; but the behavior can be changed as follows: 


CLI (sw-update) > on update-failure {continue|stop|reboot} 


To complete the process, simply enter ‘exit’. 


CLI (sw-update)> exit 


To remove software update: 


CLI (auto-update) > no software—-update 


TAR File Update 


To allow TAR file update, enter the next command, where <sequence-id> is the step for the auto-update 
sequencer (it is recommended to choose as 1; the software should always be updated first). To enter the 
URL for software and software index version: 


CLI (auto-update) > tar-resource-update <sequence-id> 
CLI (tar-res-update)> index-url http://<path>/<tar-version> [current-sw- 
version <suffix>] 
CLI (tar-res-update)> url http://<path>/<tar-file> [current-sw-version 
<suffix>] 
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If the current-sw-version parameter is present, the URL is a concatenated string from URL, running 
software name (such as ONEOS4-VOIP_SIP-V3.7R11E15) and the <suffix>. 


You must specify a target directory. With the option ‘clean-up’, the files of this directory is erased. If the 
option 'clean-up all-sub-dir' is used, the target directory is erased including all its sub-directories. 


CLI (tar-res-update)> target <TargetDir> [clean-up [all-sub-dir]] 


The TAR resource update can be used for various purposes. It may require the restart of http server or IBC 
shutdown. You can specify with the next command, the actions to operate before/after downloading the 
TAR file: 


CLI (tar-res-—update) > pre-update-action { http-server-disable | ibc- 
shutdown} <order-id> 

CLI (tar-res-—update) > post-update-action { http-server-enable | ibc-— 
noshutdown} <order-id> 


If the TAR is successfully updated, by default, the auto-update sequence continues; but the behavior can 
be changed as follows: 


CLI (tar-res-update) > on update-success {continue|stop| reboot} 


If an error occurs during TAR update, by default, the auto-update sequence stops and wait for next trigger; 
but the behavior can be changed as follows: 


CLI (tar-res-—update)> on update-failure {continue|stop| reboot} 


To complete the process, simply enter ‘exit’. 


CLI (tar-res-update) > exit 


To remove TAR update: 


CLI (auto-update) > no tar-ressource-update <id> 


Configuration Update 


To allow configuration update, enter the next command. <sequence-id> is the step for the auto-update 
sequencer. To enter the URL for configuration and configuration index version: 


CLI (auto-update) > config-update <sequence-id> 

CLI (cfg-update)> index-url http://<path>/<config-version> [serial-number 
<suffix>] 

CLI (cfg-update)> url http://<path>/<config-file> [serial-number <suffix>] 


If the serial-number parameter is present, the URL is a concatenated string from URL + serial number + 
the <suffix>. 


One can choose between these behaviors: 


e The current configuration file is overwritten by the new one (if they are different), then the auto-update 
sequence continues (in this case the downloaded configuration replaces the current one) (default). 


e The new configuration is added to the current configuration (if the add-in is different from the previous 
one). The downloaded configuration add-in is first executed in a temporary file, and if it is successful, it 
is saved in another file then a "save running" is done. If not successful the behavior depends on the 
auto-update configuration. 


CLI (cfg-update) > download-behaviour { overwrite | add-in } 


If the configuration is successfully updated, by default, the auto-update sequence continues; but the 
behavior can be changed as follows: 


CLI (cfg-update) > on update-success { continue | stop | reboot } 
If an error occurs during configuration update, by default, the auto-update sequence stops and wait for 


next trigger; but the behavior can be changed as follows: 


CLI (cfg-update) > on update-failure { continue| stop |reboot } 
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To complete the process, simply enter ‘exit’. 


CLI (cfg-update)> exit 


To remove configuration update: 


CLI (auto-update) > no config-update 


AUX LED status: 
e Orange, blinking: auto-update in progress 
e Steady green: auto-update successfully completed 


e —_ Blinking red: auto-update failure(s) 
4.19.3 Example 


configure terminal 

auto-update 
trigger monitored-interface Atm 0.1 
trigger daily-restart-timer 01:00:00 02:00:00 1 
source-interface loopback 4 
http-get-—extra-parameters 1 
software-update 1 


index-url http://autoupdate.com/sw-index/ current-sw-version 


url http://autoupdate.com/sw/ current-sw-version .22Z2 
backup-software /BSA/binaries/myOneOs.old 

exit 

config-update 2 


index-url http://autoupdate.com/config-index/ serial-—number 


url http://autoupdate.com/config/ serial-number’ .cfg 
download-behaviour overwrite 

exit 
tar-resource-update 4 

target /webroot/html clean-up all-sub-dir 


index-url http://autoupdate.com/tar-index/ current-sw-version 


url http://autoupdate.com/tar/ current-sw-version .tar 
pre-update-action http-server-disable 1 
post-update-action http-server-enable 1 
exit 

exit 

exit 


4.19.4 Debug and Statistics 


To start auto-update manually: 


CLI> auto-update start 


To stop auto-update manually (i.e. auto-update completes the current update job but does not carry out 


next step): 


CLI> auto-update stop 


To activate debug traces for auto-update: 


CLI> debug auto-update 


Some auto-update history information is kept in circular files: 


CLI> cat flash: //auto-updatel.log 
CLI> cat flash://auto-update2.log 
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To show auto-update statistics: 


CLI> show auto-update statistics 


To show auto-update configuration: 


CLI> show auto-update setup 
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4.20 CPE WAN MANAGEMENT PROTOCOL (CWMP - TR-69) 


4.20.1 Feature Description 


OneOS implements the CPE WAN Management Protocol (CWMP) specified by the specification TR-069 of 
the DSL forum. This feature is introduced as of V4.2 and allows updating OneOS routers firmware, 
configuration file and additional files. 


The CWMP is structured in different layers, from IP connectivity to RPC calls encoded in SOAP. It is 
required that the OneOS router is pre-configured in such a way that IP/DNS connectivity and ACS URL are 
known. (ACS URL or IP cannot be auto-configured as depicted in TR-44 or TR-46). 


4.20.1.1_ CWMP Transport Layer 
CWMP requires http/https as transport layers for RPC; the following transport layer characteristics are 
implemented in OneOS: 
e The destination port is configurable (default: 7547) 
e If HTTP is used, authentication via pre-shared key is optional (cf. RFC2617, MD5-hashed digest) 
e The ACS can be designated by an IP or a hostname 
e HTTPS is optional. HTTPS requires that the product is loaded with appropriately signed certificates 


e The source IP address of CWMP packets sent by the router cannot be forced to use a specific IP 
address of a router interface. 


e __If the server sets cookies, the cookie is persistent in further HTTP requests 
4.20.1.2_ INFORM RPC: Triggering Events and Content 


When the CPE boots or upon specific events, the CPE indicates to the ACS that it is willing to establish a 
TR-69 session by sending an INFORM RPC. 


The INFORM RPC contains an event to indicate the trigger type of the INFORM RPC. They are: 
e “0 BOOTSTRAP”: first product installation. 


e “{ BOOT”: theoretically speaking, it means the router has rebooted. In reality, this event is fired when 
a monitored interface is going up. Typically, the boot inform is sent when ATM 0.1 interface is going 
up. OneOS CWMP module keeps track of past operations using the file /BSA/persist/cwmp.ini. 
OneOS takes the decision by reading this file to use the BOOT or BOOTSTRAP event. At first 
installation, this file does not exist and BOOTSTRAP is the used event. A delay timer prevents to send 
INFORM requests too early at boot time so that SNTP server can be synchronized. 


e “2 PERIODIC’: the ACS can configure that the CPE sends periodically an INFORM RPC. Enabling 
this mode and periodicity is set by the ACS. The periodic INFORM parameters can be manipulated via 
the SetParameterValue and GetParameterValue RPC. 


e “4 VALUE CHANGED”: in case the ACS URL is updated in CPE configuration or if the IP address of 
the monitored interface has been renewed. 


e “9 REQUEST DOWNLOAD”: a CLI command (or Web configurator of the CPE) may issue an 
INFORM with that event code. The ACS will look up if there is a new OS / Web / config for the CPE. 








The following inform event codes are supported for informs triggered further to an ACS request: 
e “3 SCHEDULED”: caused by the SCHEDULED INFORM RPC 
e “6 CONNECTION REQUEST” 


The INFORM contains certain fields, for which a small explanation is given hereafter: 





e MaxEnvelopes=1 
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e Sub-objects of Deviceld: 
e Manufacturer: OneAccess_ Networks 
e out: the first three bytes of the product MAC address is taken. Today: 0012EF 


e ProductClass: if the product is loaded with a X.509 certificate, the ProductClass is 
derived from the common subject name of the certificate (cf. line CN: ...). If there is no 
certificate, ProductClass is taken from the product info area in read-only system area (see 
further ahead the CLI command product-class-specification) 


e Sub-objects of ParameterList: 





° InternetGatewayDevice.DeviceInfo.HardwareVersion: see show product-info- 
area CLI, atline Manufacturing file reference 


° InternetGatewayDevice.deviceSummary 








e InternetGatewayDevice.DeviceInfo.SpecVersion (dumb value: empty) 





e InternetGatewayDevice.DeviceInfo.SoftwareVersion: same string as provided by 
show version command 





e InternetGatewayDevice.ManagementServer.ConnectionRequestURL 





e InternetGatewayDevice.ManagementServer.ParameterKey 


e InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnecti 
on.1.ExternalIPAddress or 
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnectio 
n.1.ExternalIPAddress: public IP address that is used as monitored interface. 


























e Any customized parameter: a CLI command makes it possible to create custom objects that 
are inserted in the INFORM data. 


4.20.1.3 Initiating TR-069 Sessions from ACS 
4.20.1.3.1 Connection Requests 


ACS-initiated sessions are needed to perform immediately actions on the CPE (such as software update). 


The ACS must send an HTTP GET request to the embedded HTTP server of OneOS, dedicated to TR-69. 
(Note that there might two instances of HTTP servers running in OneOS - one for web-based 
configuration, one for TR-69 - ). 


The TR-69 http server is bound to a configurable port and interface (and optionally an ACL). The GET 
request can be authenticated by means of a password. After authentication, OneOS sends an Inform with 
“6 CONNECTION REQUEST” as event code. 


4.20.1.3.2 Scheduled Inform 
The ACS can ask the CPE to send an INFORM later at a specified time. In that case, the event code in the 
INFORM will be “3 SCHEDULED”. 
Use case: Scheduled informs are useful for an ACS to schedule firmware updates of many CPE while 
limiting the number of simultaneous firmware upgrades. 


4.20.1.4 RPC invoked by ACS 


When invoking the INFORM RPC (sent because of reboot, interface going up, connection request from 
ACS ...), the ACS is due to answer with an INFORM response containing the action to perform, namely an 
RPC call and associated parameters. 


DOWNLOAD RPC 
The supported downloaded file types are: 
e “1 Firmware Upgrade Image”: to update the CPE firmware 


e “2 Web Content”: to download and extract a TAR file in the flash: //webroot directory 
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e “3 Vendor Configuration File”: to update the router configuration 


The files can be downloaded with HTTP or HTTPS transport protocol with optional username/password 
authentication. 


N.B.: in Download RPC, the failure/success URL redirect is not implemented. 
Firmware Update 


The inform response specifies the URL to query to download the firmware, username and passwords for 
authentication. The parameters <FileSize> and <TargetFileName> are ignored. 


In router configuration, a parameter defines the backup firmware, in case the new firmware is invalid 
(default backup-software: /BSA/binaries/OneOs.old). Actually, the appropriate setup is to configure 
the router as follows: 


e /BSA/bsaBoot.inf specifies the running firmware as /BSA/binaries/OneOs.new 


e Backup firmware is /BSA/binaries/OneOs. Implicitly, the OneOS boot loader tries to load 
/BSA/binaries/OneOs.new at boot; if this file is invalid (e.g. power-off during software download), 
the boot loader loads the backup software /BSA/ binaries/OneOs. 


Before downloading the file, the running software (if it exists) is renamed to overwrite the backup firmware. 
The new firmware replaces the running firmware (typically OneOs . new). After download, software integrity 
is checked. If the check is not passed, the new firmware is removed. 


After reboot, an INFORM RPC is sent with event code “7 TRANSFER COMPLETE”. 
Configuration Update 
The parameters <FileSize> and <TargetFileName> are ignored. 


The configuration file is downloaded in /BSA/bsaStart.cfg.new.au and compared with the 
configuration download during the last TR-069 configuration update operation 
(/BSA/config/bsaStart.cfg.add.au or /BSA/config/bsaStart.cfg.bad.au). If they are 
different, OneOS continues configuration update otherwise the operation is considered successful. 


After configuration download, two behaviors are possible: 


e Execute the downloaded configuration (upgrade mode=add-in). If no error in execution is detected, 
the upgrade is considered successful. If successful, the running configuration is saved. The 
downloaded configuration file is saved in /BSA/config/bsaStart.cfg.old.au. The download 
operation result is successful if the downloaded file is not empty and the configuration file is executed 
without errors. 


e Replace the current configuration (mode=overwrite). The downloaded configuration file is saved in 
/BSA/config/bsaStart.cfg.old.au. The router replaces the current configuration with the new 
one. The download operation is always considered successful, if the downloaded configuration file is 
not empty. 


Upon operation success, a reboot is done and after reboot, an INFORM RPC is sent with event code “7 
TRANSFER COMPLETE”. 


With the mode adc-in, if the configuration is not executed properly, reboot is done automatically to restore 
the older configuration. 


After successful download, a reboot can be done if a configuration flag enables it. 
Web Configurator Update 
The parameter <FileSize> is ignored. 


The TAR file is downloaded and extracted in the directory provided in <TargetFileName> tag (typically 
flash://webroot). Prior to doing the extraction, the web server is shutdown and the web directory is 
cleaned. After extraction, the http server is re-enabled again. 


Finally, an INFORM RPC is sent with event code “7 TRANSFER COMPLETE”. After successful download, 
a reboot can be done if a configuration flag enables it. 


Reboot RPC 
The ACS can invoke the REBOOT RPC. 
FactoryReset RPC 


The ACS can invoke this RPC so that the product reboots and returns to factory defaults. 


Page 4.20-403 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


Upload RPC 

This RPC enables an ACS to request the CPE to upload a file on a server. The following restrictions apply: 
e Only FileType “1 Vendor Configuration File” is supported (i.e. upload of the running configuration) 

e Transport layer can be: http or https, with or without username/password authentication 
GetRPCMethods 

This RPC enables the ACS to retrieve the list of supported RPC. 

SetParameterValues / GetParameterValues / GetParameterNames 


The above RPC are supported to handle CWMP managed objects. 
4.20.1.5 TR-69 Scenarios behind a NAT Gateway (TR-111, TR-69 Pass-through) 


Problem statement: a LAN device managed by CWMP protocol is addressed with a private IP address. 
This raises a security concern in that the LAN device could be installed and running from any LAN. Also for 
incoming connection requests, the LAN CPE should indicate a Connect ionRequestURL with a publicly 
IP addressable IP. 


To solve this technical issue, the DSL forum released the TR-111 standard. 


OneOS fully supports TR-111 part 1 (Device-Gateway Association) as gateway and as LAN device (a CLI 
parameter defines if the OneOS-based router must behave as gateway or LAN device). If the OneOS- 
based router is configured as LAN device, all objects in its data model start from root object Device. * 
instead of InternetGatewayDevice.*. 





OneOS fully supports TR-111 part 2 (Connection Request via NAT Gateway) that allows an ACS to initiate 
a Session with a device that is operating behind a NAT Gateway. This provides the equivalent functionality 
of the TR-069 Connection Request, but makes use of a different mechanism to accommodate this 
scenario. 


4.20.2 Configuring CWMP 


To start configuring CWMP, enter in CWMP configuration mode as follows: 


CLI> configure terminal 
CLI (configure) > cwmp 
CLI (cwmp) > 





The ProductClass can be configured. It can be taken either from the X.509 certificate (if available) or the 
motherboard type or the product name (see CLI commands show product-info-area at line 
Motherboard type and show system hardware at line Device - default cert-or-mb-type): 





CLI (cwmp)> product-class-specification { cert-or-mb-type | 
mb-type | 
product-name } 


The ACS URL must be configured. The ACS URL can be a designated name or an IP address. The URL 
may contain a port number in case a different port than default (7547) is used: 

CLI(cwmp)> aes url {http|https}://<ip-or-name>[:<port>]/<path>/<filename> 
If HTTP connection of the CPE is authenticated by means of a password, the next command line must be 
entered (authentication for HTTP sessions initiated by the CPE). Note that the password can be a static 


string or a string made up of a static string concatenated with the serial number (so that every router has a 
different password): 


CLI(cwmp)> [no] acs auth password <string> [serial-number] 


The serial number can be either the true serial number of the device (default) or a particular backup 
number: 


CLI (cwmp)> serial-number { default | bnumber } 


The monitored interface must be configured. It defines the interface that triggers the sending of an 
INFORM RPC whose event if BOOT or BOOTSTRAP after a configurable timer (by default: no delayed- 
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start timer). The monitored interface is also the IP address that is in the INFORM: 
e To construct the URL for connection request. It is: http://<monitored-interface-ip>/<random> 


e ~=To know if the ExternalIPAddress is a PPP or IP interface for the object 

InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1. 
ExternallIPAddress or 
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1.E 
xternallIPAddress 

















The following command can be entered up to 5 times in order to monitor up to 5 interfaces. 


CLI(cwmp)> [no] trigger monitored-interface <type> <unit> [delayed-start 
<seconds>] 


If the OneOS-based router is installed as a LAN device (TR-111 client), the TR-111 association must be 
configured as a trigger; the BOOT/BOOTSTRAP events will only trigger an INFORM if the TR-111 
association is successful (use of DHCP option 125 to learn the gateway identity). 


CLI(cwmp)> [no] trigger gateway-association 


Note: the command trigger gateway-association does not trigger TR-111 association, but 
modifies the trigger monitoring an interface. If the command is entered after that the monitored interface is 
up, nothing will happen. 


CWMP packets take as source address the IP address of outgoing interface, but it can be forced: 


CLI(cwmp)> { source-interface <intf> <unit> | no source-interface } 


When software upload is required, the inform response specifies the URL to query to download the 
firmware, username and passwords for authentication. Today, the parameters <FileSize> and 
<TargetFileName> are ignored. 


In the case where the firmware transfer can take another path that the query, it is possible to force the 
actual source address for the transfer: 


CLI (cwmp)> { transfer-source enable | no transfer-source } 


In router configuration, a parameter defines the backup firmware, in case the new firmware is invalid 
(default backup-software: /BSA/binaries/OneOs.old). Actually, the appropriate setup is to configure 
the router as follows: 


e /BSA/bsaBoot.inf specifies the running firmware as /BSA/binaries/OneOs.new 


e Backup firmware is /BSA/binaries/OneOs. Implicitly, the OneOS boot loader tries to load 
/BSA/binaries/OneOs.new at boot; if this file is invalid (e.g. power-off during software download), 
the boot loader loads the backup software /BSA/ binaries/OneOs. 


Before downloading the file, the running software (if it exists) is renamed to overwrite the backup firmware. 
The new firmware replaces the running firmware (typically OneOs . new). After download, software integrity 
is checked. If the check is not passed, the new firmware is renamed and the router reboots. Finally, an 
INFORM RPC is sent with event code “7 TRANSFER COMPLETE”. 


To use another name for backup software, use the next command: 


CLI (cwmp)> [no] backup-software <path/filename> 


Configuration download: the configuration file is downloaded in temporary file and compared with the 
configuration download during the last TR-069 configuration update operation. If they are different, OneOS 
continues configuration update otherwise the operation is considered successful. 


After configuration download, two behaviors are possible: 


e Execute the configuration (mode=add-in) If no error in execution is detected, the upgrade is 
considered successful. If successful, the running version is saved. The downloaded configuration file 
is saved. The download operation result is successful if the downloaded file is not empty and the 
configuration file is executed without errors. With the mode add-in, if the configuration is not executed 
properly, a reboot is done automatically. 


e (mode=overwrite) (default) The downloaded configuration file is saved in /BSA/config/bsaStart.tr69. 
The router replaces the current configuration with the new one. The download operation is always 
considered successful, if the downloaded configuration file is not empty. The router reboots. 
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CLI (cwmp)> config-update download-behaviour {add-in |overwrite} 


Custom proprietary objects may be inserted in the data model. 








CLI(cwmp)> [no] set-param <proprietary-managed-object-name> <value> [set] 
[get] [inform] [val-chd] 


The optional arguments after the value define how the object is accessed: 


e set: the object can be read by the Get ParameterValue RPC 





e get: the object can be read by the Set ParameterValue RPC 





e inform: the object is included in the INFORM 


e val-chd: a value change on this object causes an ACS notification 


4.20.3 CWMP Data Model 


Operations with the data model can be done by means of the following RPC: SetParameterValues, 
GetParameterValues and GetParameterNames. 








These operations can be simulated by means of CLI commands that query the OneOS CWMP stack and 
are expected to return the same result as the corresponding RPC. In the following CLI commands, it is not 
necessary to include the managed object root keyword (either “InternetGatewayDevice.” or 


MD, e 


“Device.” “.” is enough). 





To simulate GetParameterValues: 








CLI> cwmp get-param <managed-object—name> 





To simulate SetParameterValues: 





CLI> cwmp set-param <managed-object-name> <value> <type> 





To simulate GetParameterNames: 





CLI> cwmp get-param-names <managed-object-path> 


To dump the supported OneOS data model: 


CLI> cwmp get-—param-names 


The CWMP data model include some objects that are instantiated: they are present if the corresponding 
service is explicitly configured in OneOS configuration. An object instance is identified by its number, for 
example: “InternetGatewayDevice.LANDevice.1”. The following table explains how to understand 
several instantiation numbers of CWMP managed objects. To simplify notations, the root object 








(“InternetGatewayDevice.” or “Device.”) is omitted. 





CWMP Object Instance 


Corresponding Service in CLI Configuration 





LANDevice. {i} 


The i-th instance corresponds to the BVI number. CLI configuration: 
configure terminal 
interface bvi {i} 
exit 
exit 





LANDevice.{i}.Hosts.Host.{j} 


When querying such object, OneOS CWMP engine looks up the 
DHCP pool associated with the BVI {i}; i.e. the DHCP pool must 
be within BVI IP network. Host. {3} is the j-th host in the DHCP 
binding table that corresponds to that pool. 








LANDevice. {i}.LANEthernetInterf 
aceConfig.{j} 














LANEthernetInterfaceConfig.{j} corresponds to _ the 
Ethernet port fastEthernet 0/{j-1}. That port must be port of 
the BVI {i} bridge group. CLI configuration: 





configure terminal 
interface bvi {i} 
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bridge-group <x> 

exit 

interface fastEthernet 0/{j-1} 

bridge-group <x> 

no ip address 

exit 
exit 





LANDevice. {i}.LANHostConfigMana 
gement.IPInterface. {j} 


IPInterface.1 corresponds to the main IP address; the following 
instances are secondary addresses by order of configuration. CLI 
example: 


configure terminal 
interface bvi {i} 
! IPInterface.1 
ip address 192.168.1.1 255.255.255.0 
! IPInterface.2 
ip address 192.168.1.1 255.255.255.0 second 


exit 
exit 





LANDevice. {i} .WLANConfiguration 
-{j} 


WANDevice. {i} 


The j-th instance corresponds to the interface dotllradio 
0/ {73}. It must be part of BVI {1} bridge-group. 


configure terminal 
interface bvi {i} 


bridge-group <x> 
exit 
interface dotlilradio 0/{j} 
bridge-group <x> 
no ip address 
exit 
exit 
{i} is the index of the physical interface minus one. Each ATM 


physical interface: atm {i-1}.y. {i} is therefore 1 most of the 
time. 





WANDevice. {i} .WANConnectionDevi 
ce. {Jj} 


{3} is the index of the ATM sub-interface (atm {i-1}.{j}). atm 
0.1 is mapped to WANDevice.1.WANConnectionDevice.1 





WANDevice. {i}.WANConnectionDevi 
ce.{j}.WANIPConnection. {k} 


Or 


WANDevice. {i}.WANConnectionDevi 
ce.{j}.WANPPPConnection. {k} 


A singly WANIPConnection instance is supported. k is always 
worth 1. 





WANDevice. {i}.WANConnectionDevi 
ce.{j}.WANIPConnection.1.PortMa 
pping. {k} 


{k} starts from 1 to N, where N is the number of static NAPT rules. 


configure terminal 
interface atm {i-1}.{j} 


ip nat static-napt tcp 192.168.1.2 80 self 80 
ip nat static-napt udp 192.168.1.2 245 self 
245 
exit 
exit 








Services.VoiceServic 
Profile. {j} 


-{i}.Voice 


{i} and {5} are always 1. 





Services.VoiceService.1.VoicePr 


ofile.1.Enable 








Administrative state of the SIP or H.323 gateway. State mapping 
(TR-69 <OneOS): 

- Disabled: voice gateway is shutdown 

- Enabled: voice gateway is ‘no shutdown’ 

- Quiescent: not supported 








Services.VoiceService.1.VoicePr 








The {i} instance of line object corresponds to pots-group #:. 
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ofile.1l.Line. {i} 


configure terminal 
dial-peer voice pots 1 


pots-group {i} 
exit 
exit 





Services.VoiceServic 








.1.VoicePr 


ofile.1.Line.{i}.Enable 


When manipulating that object, the software looks for all physical 
voice ports associated with pots-group {i}. 


Mapping TR-69 < OneOS when reading Enable: 


- Enabled: all voice ports are ‘no shutdown’ 
- Quiescent: not supported 
- Disabled: if not enabled 





Services.VoiceServic 





ae 


-1.VoicePr 


ofile.1.Line.{i}.DirectoryNumbe 


1) If the pots-group is associated with BRI: returned value is 
empty. 


2) If the pots-group points to FXS: the returned value corresponds 
to the sip-username under voice routing associated with the dp- 
pots (see CLI: dial-peer pots {i} ua-sip). CLI example: 


configure terminal 
voice-port 5/2 

exit 

dial-peer voice pots 3 
port 5/2 
pots-group {i} 

exit 

voice-routing 


route <n> 
dial-peer pots {i} ua-sip 
sip-username 33141877000 
exit 


exit 
exit 








Services.VoiceServic 


.1.VoicePr 


ofile.1.Line.{i}.Status 


OneOS looks up the dp-pots ua-sip under voice-routing as 
described above. 


- If that number must be registered to SIP server (the command 
‘dial-peer pots <i> .. ua-sip’ is present), the status 
corresponds to registration status of that number. 

- If that number must not be registered, corresponds to the global 
registration status of SIP / H.323 gateway. 

State mapping (TR-69 < OneOS): 


- Disabled: SIP gateway is shutdown or the voice-port associated 
with that number is shutdown. 


- Registering: SIP gateway is ‘no shutdown’ (or the gateway 
interface is up) but SIP gateway / number is not registered. 


- Up: number registered (or the SIP gateway is completely 
registered). 








Services.VoiceServic 
erface. {i} 





.1.ISDNInt 





The i-th instance of the object corresponds to the BRI port+1 (ISDN 
5/0 is mapped to ISDNinterface.1). 





4.20.4 Enabling TR-111/TR-69 Pass-Through 


TR111 UDP Connection Request module uses a STUN Server to determine if a NAT Binding is in use or 
not and retrieve the public address/port in the case that NAT is used. 


When CWMP service is up, and STUN client parameter is set to TRUE, TR111 UDP Connection Request 
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4.20. 


module will try to communicate via UDP with the STUN Server. 


To start the STUN client, use the following command in CWMP configuration mode: 


CLI (cwmp)> udp-cr stun-client enable true 


To stop the STUN client, use the following command in CWMP configuration mode: 





CLI (cwmp)> udp-cr stun-client enable false 


To configure the STUN Server address, use the following command in CWMP configuration mode. The 
default STUN Server port number is 3489. 
CLI (cwmp)> udp-cr stun-client server-address <IP-address> [<port>] 


If NAT is detected, the parameter NATDetected is set to TRUE and the parameter 
UDPConnect ionRequestAddress is updated with the public address. 





If no NAT is detected, the parameter NATDetected is set to FALSE and the parameter 
UDPConnect ionRequestAddress is updated with the private address. 





To configure the STUN client authentication settings, use the following command in CWMP configuration 
mode: 


CLI (cwmp)> udp-cr stun-client authentication <username> <password> 
To configure the STUN client keepalive settings, use the following command in CWMP configuration 
mode: 

CLI (cwmp)> udp-cr stun-client keepalive <min-seconds> <max-seconds> 
To restore the STUN client keepalive default settings (0-4294967295 seconds), use the following 
command in CWMP configuration mode: 

CLI (cwmp)> udp-cr stun-client default keepalive 
To configure the STUN client minimum notification interval, use the following command in CWMP 
configuration mode: 

CLI (cwmp)> udp-cr stun-client min-notification-interval <seconds> 
To restore the STUN client default minimum notification interval (0 second), use the following command in 
CWMP configuration mode: 


CLI (cwmp)> udp-cr stun-client default min-notification-interval 


5 Manual CWMP Operations 


Invoking the request download event: 


CLI> cwmp inform request-download { 1-firmware-update | 
2-web-content | 
3-vendor-configuration-file } 

Sending a CWMP INFORM with BOOTSTRAP event: 


CLI> cwmp start 


Sending a CWMP INFORM with BOOT event: 
CLI> cwmp event BOOT 


To cancel the CWMP operation in progress: 


CLI> cwmp stop 


To force CWMP to send a BOOTSTRAP event at next boot, you must clean up a file (that would also be 
cleaned up by a factory reset): 


CLI> rm /BSA/persist/cwmp.ini 
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CLI> reboot 
4.20.6 Statistics and Troubleshooting 


The debug mode activates the traces and also saves the CWMP transaction messages in the 
/cwmp/temp directory: 


CLI> [no] debug cwmp { all | application | session | data} 


The CWMP statistics are provided by the next command: 


CLI> show cwmp statistics 


The CWMP configuration status is obtained as follows: 


CLI> show cwmp setup 


The status of the ongoing downloads is obtained as follows: 


CLI> show cwmp request-—download state 


The status of the ongoing UDP-connection request is obtained as follows: 


CLI> show cwmp udp-cr 
4.20.7 Configuration Example 


configuration terminal 
cwmp 
acs url http://acserver:7547/proxyServlet 
trigger monitored-interface atm 0.1 
config-update download-behaviour add-in 
exit 
exit 
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.21 


4.21 


AUTOCONFIGURATION 


This section describes the autoconfiguration features of OneOS and how to activate this function. 


Autoconfiguration permits, when starting DHCP client on an interface, to automatically acquire 
configuration parameters. This permits also to retrieve new image releases, thus facilitating image update 
on a large-scale basis. In order to adapt to varying customer requirements, several autoconfiguration 
methods can be defined. 


The objective of such function is to optimize deployment and maintenance costs of OneOS-based routers. 
Indeed, all routers stored in the warehouse have the same configuration files and software. When they are 
deployed in the customer premises, they download their configuration files and software if needed. This 
procedure enables the standardization of deployment and maintenance, which, in turn, enables significant 
operative savings. 


.1 Features 


The Autoconfiguration implementation is compliant with DHCP RFC 2131 and RFC2132. Note that some 
well defined DHCP fields have been reused, in order to provide a better use for our customers. 


Autoconfiguration can download router and software configuration. The following diagram shows the state 
machine of autoconfiguration and the controls made to avoid the download of faulty SW/configurations. 
The first step (“Execute bsaStart and backup configuration") is detailed in the second diagram. 


Overall State Machine 



















Execute bsaStart.cfg 
Backup configuration 

in case of errors 

(detailed in next diagram) 


Start 


No - errors in bsaStart.cfg 


Run Autoconfig periodically. 
Retrieve SW and / or config to 
download 


Download Config. 
New config 
different from 
bsaStart.cfg? 










Is new OS name 
different from 
current? 


Yes 









New config 
different from 
bsaStart.err? 





No 


Is downloaded 
OS integrity 
correct? 





Copy bsaStart.cfg 
into bsaStart.old. 
Copy new config 
into bsaStart.cfg. 
Reboot. 
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Detail of Sub-State ‘Execute bsaStart.cfg Backup configuration in case of errors’ 


Execute bsaStart.cfg 







Errors while Executing 


N 
. bsaStart.cfg 


Yes 


Rename bsaStart.err Copy bsaStart.cfg into bsaStart.err 
bsaStart.bak Put bsaStart.cfg into bsaStart.tmp 
(but CLI lines causing errors are 
commented out in bsaStart.tmp) 
Suppress bsaStart.bak 


Start autoconfig if configured 


Is command ‘reboot-recovery-on- 


error’ present? 
Yes 


Start autocontig if configured Copy bsaStart.old into bsaStart.cfg 
Reboot 


4.21.2 Configuration Commands 
The autoconfiguration feature requires that a DHCP client be enabled on an interface. 
4.21.2.1_ Enabling Autoconfiguration 


To enable autoconfiguration and select the method, use the following command in global configuration 
mode: 
CLI (configure) > autoconfiguration <method> 
CLI (ocaac-mthdl) > 
Actually, only methods ‘1’, ‘2’, ‘3’ and ‘4 are available (see below). From there, the user must configure 
method-specific parameters. 
To deactivate autoconfiguration, use the no form of the following command in global configuration mode. 
CLI (configure)> no autoconfiguration <method> 
Once the method-specific parameters are entered, enter the ‘execute’ command to complete the service 
configuration: 


CLI (oaac-mthdl)> execute 
4.21.2.2_Method-1-Specific Autoconfiguration Parameters 
4.21.2.2.1. Voice Autoconfiguration 
Voice service could also be started using autoconfiguration method #1. To activate this feature, use the 


following command under H.323 gateway configuration: 


CLI (h323gw)> gw-address autoconfig 
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In this case, The OneOS-based router waits for a DHCP request and uses the information contained in the 
DHCP message (option #14) to start the H.323 gateway. The option #14 is an ASCII string with the 
following format: 


Optionl4: “<protocol identifier>|<A>.<B>.<C>.<D>|<gateway identifier>” 


Where: 


e The protocol identifier should be set to 2 when H.323 protocol is selected. Others values has been 
reserved to maintain future software compatibility. 


e ‘<A>.<B>.<C>.<D>’ is the gatekeeper IP address, used to setup a manual or automatic registration to 
this gatekeeper. When OneOS receives a broadcast IP address, an automatic process is started 
instead of a manual one. When this IP address is set to 0, the H.323 gateway is stopped after 
disconnecting all running calls. 


e The gateway identifier provides the name of the OneOS-based router to the gatekeeper (concerning 
the RAS protocol). 


The OneOS-based router can dynamically update those parameters even if the H.323 gateway is already 
started. The H.323 gateway behavior depends on theses parameters. 


In this case, others parameters into h323-gateway configuration entry are optional except the gw- 
interface andno shutdown commands. 


To deactivate this feature, use the following command: 


CLI (h323gw)> gw-address implicit 
4.21.2.2.2 Software Image Download 


‘Method #1’ enables to check that the device has the right software image and to download a new image if 
needed. The process is described as follows: 


e The router gets the IP address of a TFTP server in the option #17 


e = If the option #17 provides a valid address, the router downloads an image information file that 
indicates the software image name and size and the TFTP server, where the image is stored. 


e If the image currently in use is different from the one retrieved in the image information file, the new 
image is downloaded and the device reboots with the new image. 


The option #17 is an ASCII string containing the IP address of the TFTP server under the format: 
‘<A>.<B>.<C>.<D>’. 


The image information file is a text file with the following fields: 


[one200] 
<string>:<software-image-file> 
<tftp-ip-addres> 
<length-in-bytes> 

[one400] 
<string>:<software-image-file> 
<tftp-ip-addres> 
<length-in-bytes> 

[one100] 
<string>:<software-image-file> 

<tftp-ip-addres> 

<length-in-bytes> 

[one300] -—- also available for onel180 
<string>:<software-image-file> 

<tftp-ip-addres> 

<length-in-bytes> 





Where: 
e <string> is actually any string (not significant today, for future use). 


e <software-image-file> is the name of the image file of the TFTP server. 
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e <tftp-ip-addres> is the address of the TFTP server, where the image can be downloaded. 


e <length-in-bytes> is the size in bytes of the image (to check if there is enough space in flash 
before downloading). 


The file can contain information for several device names. 
4.21.2.2.3. Configuration Example 


The following example shows a WAN topology in which autoconfiguration and DHCP is configured. In this 
example, router A is the DHCP client that needs to be auto-configured. Router B is the DHCP server as 
well as the default gateway router for A. 










Router B 
88.123.12.1 





HOSTB 
88.123.12.243 











Router A 
10.0.0.1 


x GATEKEEPER 
88.123.12.242 






































The configuration script is as follows for router A: 


ip dhcp vendorid voipt0t2-oneaccess 
autoconfiguration method1l 
interface FastEthernet 0/0 
ip address 10.0.0.1 255.255.255.0 
exit 
ss 
! here, configure atm 
! 
interface atm 0.1 
pvc ipoa vpi 0 vci 32 
execute 
exit 
ip address dhcp client-id fastethernet 0/0 
ip nat inside overload 
exit 
YO ass 
! here, configure voice 
! 
dial-peer voice voip 0 
gatekeeper mandatory ! select RAS protocol 
no shutdown 
exit 
h323-gateway 
gw-interface atm 0.1 ! link the H.323 gateway to an interface 
gw-address autoconfig ! select autoconfiguration feature 
no shutdown 
exit 
exit 


The configuration script is as follows for router B: 
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ip dhcp pool global 
host 88.123.12.2 
client-identifier ONE60/08:00:51:00:11 
default-router 88.123.12.1 
dns-server 122.12.32.154 
netmask 255.255.252.0 
lease 0 12 0 
option ascii 14 2|88.123.12.242|gw-test 
option ascii 17 88.123.12.243 
exit 
interface FastEthernet 0/0 
ip address 88.123.12.10 255.255.252.0 
exit 


DHCP autoconfiguration parameters are ASCII strings configured as following: 


Optionl4: “2|88.123.12.242|gw-test” 
Option17: “88.123.12.243” 


File oneaccess.general located in host B can be configured like that: 


[one200] 

F0O1L002.00:ONEOS1-VOIP-V3 .3R2E31T1 
220.0.0.43 

5446002 

[one400] 

FOLO02 .00:ONEOS2-VOIP-V3 .3R2E31T1 
220.0.0.43 

5555002 


Once A retrieved main DHCP parameters (IP address, net mask, default route and DNS server), 


autoconfiguration looks up for options #17 and #14. 


Voice parameters contained in option #14 indicate that a gatekeeper named gw-test at IP address 
88.123.12.242 is ready. The first number (2) means that h323 module is required. Otherwise, voice 


configuration is bypassed. 


Option #17 is the IP address of the remote TFIP server to download image information file 
oneaccess.general. Once the IP address is extracted from option #17, the file is retrieved and 


analyzed. 


4.21.2.3 Method-2-Specific Autoconfiguration Parameters 
4.21.2.3.1_ Voice Autoconfiguration 

Voice autoconfiguration is the same as method 1. 
4.21.2.3.2 Downloading Configuration and Software 


In this method, the process is: 


e The router sends a DHCP discover with option #60 (vendor-id) under the form voipt0t2- 
oneaccess~<software-release> and gets the IP address of a TFTP server in the option #17. 


e If the option #17 provides a valid address, the router downloads an information file that indicates the 
software image name, configuration file and the FTP servers to be used, where the configuration and 


image files are stored. 


e The option #67 tells what is the information file name containing all the above-mentioned information. 


The option #17 is an ASCII string containing the IP address of the TFTP server under the format: 


‘<A>.<B>.<C>.<D>’. 
The downloaded information file is under the following form: 


/home/luci/admintests/oaac/config_one200 
192.168.30.234 
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lucilu 

lucil23 
admintests/oaac/oneos1.gen 
192.168.30.234 


The syntax is the following: 


<config-path/filename> 
<ftp-server-—ip> 
<login> 

<password> 
<path/gen-file> 
<tfitp-server-ip> 


Details about parameters: 


e <config-path/filename>: full path and file name of the configuration file that must be 
downloaded. 


e <ftp-server-ip>: it is assumed that the configuration file is on a FTP server whose IP is provided 
here. 


e =<login>: FTP login. 
e <password>: FTP password. 


e <path/gen-file>: full path and name of the general file, where the software images are specified. 
This file is similar to oneaccess.general of autoconfiguration method 1. It has the following form: 


[one200] 

F01L002.00:ONEOS1-VOIP-V3 .3R2E31T1 
220.0.0.43 

5446002 

[one400] 

FOLO02 .00:ONEOS2-VOIP-V3 .3R2E31T1 
220.0.0.43 

5555002 


e <tftp-server-—ip>: TFTP server where the general file is kept. 


The autoconfiguration is retried until successful; then, the process restarts periodically (corresponding to 
the DHCP lease time) in order to check for new versions or configuration. 


At successful completion of the software upload/download, some test calls are sent. Traps are emitted to 
the configured event managers, if no test call is successful. If no successful call after 3 attempts is 
observed, the Voice LED remains red. 


To enable autoconfiguration method 2 and select the method, use the following command in global 
configuration mode: 


CLI (configure)> autoconfiguration 2 


CLI (oaac-mthd2) > 


To configure the interface onto which DHCP requests must be issued, enter the following command: 


CLI (oaac-mthd2)> add-interface <interface> <unit> 


If the software image is allowed to be upgraded, the following command must be entered (default: 
disabled): 


CLI (oaac-mthd2)> os-update {enabled|disabled} 


To specify the hostname that must be used within DHCP inform: 


CLI (oaac-mthd2)> add-hostname <string> 


The autoconfiguration can be enabled only after synchronization with a NTP server: 


CLI (oaac-mthd2)> add-ntp-server <ip> 


The autoconfiguration logs can be sent to a syslog server: 





CLI (oaac-mthd2)> add-syslog-server <ip> 
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When the configuration is completed, always enter the ‘execute’ command to activate the changes: 
CLI (caac-mthd3)> execute 
The next parameter enables to reboot automatically with the old configuration in case the new 


configuration downloaded is detected as invalid (errors while executing the start configuration; by default: 
disabled): 


CLI (oaac-mthd3)> exit 
CLI (configure)> [no] reboot-recovery-on-error 
4.21.2.4 Method-3-Specific Autoconfiguration Parameters 
4.21.2.4.1. Voice Autoconfiguration 
Voice autoconfiguration is the same as method 1. 
4.21.2.4.2 Enabling test calls 
This method is similar to method 2 but no image and configuration file are downloaded. In this method, the 


process is: 


e The router sends a DHCP discover with option #60 (vendor-id) under the form voipt0t2- 
oneaccess~-<software-release> and gets the IP address of a TFTP server in the option #17. 


e The router retrieves the voice parameters and proceeds with test calls. 


The autoconfiguration is retried until successful. Traps are emitted to the configured event managers, if no 
test call is successful. If no successful call after 3 attempts is observed, the Voice LED remains red. 


To enable autoconfiguration method 3, use the following command in global configuration mode: 
CLI (configure)> autoconfiguration 3 
CLI (oaac-mthd3) > 

To configure the interface onto which DHCP requests must be issued, enter the following command: 


CLI (ocaac-mthd3)> add-interface <interface> <unit> 


To specify the hostname that must be used within DHCP inform: 


CLI (oaac-mthd3) > add-hostname <string> 


The autoconfiguration can be enabled only after synchronization with a NTP server: 


CLI (oaac-mthd3)> add-ntp-server <ip> 


The autoconfiguration logs can be sent to a syslog server: 





CLI (oaac-mthd3)> add-syslog-server <ip> 


When the configuration is completed, always enter the ‘execute’ command to activate the changes: 





CLI (caac-mthd3)> execute 
4.21.2.5 Method-4 Autoconfiguration 


Autoconfiguration method 4 is configured with the same parameters as autoconfiguration method 2 and 
the file formats on FTP/TFTP servers are the same, as well as DHCP options. 


The main differences between method 2 and 4 are exclusively related to OneOS behavior: the way to 
download files, to reboot and to recover from errors is different. To further detail the behavior of method-4 
autoconfiguration, the next diagram depicts the autoconfiguration steps: 
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4.21.3 Configuration and Statistics 


To display statistics about the existing autoconfiguration, use the following command line: 


CLI> show autoconfiguration 

autoconfig method1l 

config: tftp tries 0 (0 successfull, O bad params) 

software version: tftp tries 0 (0 errors, 0 checksum errors) 
system: errors fs 0, other 


To display help information on how to use autoconfiguration, simply type the ‘autoconfiguration’ command: 


CLI (configure) > autoconfiguration 
methodl: voice configuration and image version download manager 
dhcp: option 14{A|B|IC}, A=2 for H323, B gatekeeper ip@, 
identifier 

option 17{D}, tftp server to download config file 
oneaccess.general format: 
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[header] machine type: one200 or one400 

filename in the format A:B where A is a private name, B is the image 
version 

ipaddress ip address of tftp server to download image from filesize 
number of bytes of the file to download 


4.21.4Debug and Trace 


To enable autoconfiguration debugging, use the following command: 


CLI> debug autoconfiguration 


CLI> no debug autoconfiguration 
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4.22 DNS RELAY/PROXY 


This section describes the main features of the DNS Relay/Proxy and its configuration. 
4.22.1 Features 
DNS (Domain Name Service) is widely used to resolve IP address from host name. The DNS relay/proxy 


module provides the following features: 


e DNS Relay (only). This basic feature is meant to receive client's DNS queries and send them to a 
DNS server. Then, receive DNS replies from the DNS server and send them back to the clients. 


e DNS proxy cache. The replies from a DNS server can be saved in a local cache such that they can be 
used later to directly reply to DNS queries if the requested resource matches. 


e Cached entry aging. Cached DNS resources will be invalid after a time equal to the time-to-live value 
returned in server reply. 


e Relaying both UDP and TCP DNS queries. 
e Multiple DNS servers. This feature can provide failover upon the failure of a DNS server. 
Use of a DNS relay/proxy offers the following advantages: 


e Easy configuration. To access the Internet in a Small Office and Home (SOHO) environment, the DNS 
server address is generally dynamically configured, for example, by PPP. Hosts on the inside network 
cannot be configured with DNS server address when the Internet connection is not ready. In this case, 
the access router can function as DNS relay. On the inside hosts, the DNS server address is set to the 
router's address. 


e Performance improvement. On low bandwidth links, DNS queries can be sometimes a performance 
bottleneck. It often happens that a number of DNS queries try to resolve IP address from the same 
host name. This results in duplicated traffic over a congested link. DNS cache allows to save DNS 
replies and to process locally DNS queries. This will increase the performance of the Internet link. 


e Fault tolerance. It happens that some DNS servers temporarily do not respond to DNS queries. With a 
DNS cache, the applications will continue to work. 


One of main disadvantages of using DNS proxy cache is that DNS based load balancing will no longer 
work. 


4.22.2 Configuration Commands 


The configuration of DNS relay/proxy can be divided into the following steps: 
e Setting name server addresses - required. 

e Configuring cache size - optional. 

e Configuring source address to use while relaying DNS queries - optional. 
e Configuring the local router to use DNS relay/proxy - optional. 


e Configuring client addresses which are allowed to use DNS relay/proxy - optional. 
4.22.2.1 Setting Name Server Addresses 


To enable the DNS relay/proxy, the only thing required to do is to set one or more DNS server addresses. 
This can be done by using the following command in global configuration mode. At least one IP address 
(up to 3) must be specified. By default, the DNS relay/proxy is disabled. 


CLI (configure)> ip dns-proxy dns-server <address> [<address> [<address>]] 


DNS server addresses can also be learned (see 4.22.2.5 below). 
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To disable DNS relay/proxy, use the following command in global configuration mode: 
CLI (configure)> no ip dns-proxy dns-server 


After this command, the DNS relay/proxy will stop to function and all allocated resources (including cache 
memory) will be freed. 


4.22.2.2 Configuring Cache Size 


The DNS relay/proxy can save the responses returned by a DNS server in the memory cache. By default, 
DNS cache is enabled and the cache size is set to 32K bytes. To change the cache size used by the DNS 
relay/proxy, use the following command in global configuration mode: 


CLI (configure)> ip dns-proxy cache <bytes> 
The cache size is specified in units of bytes. The size of memory necessary for caching a host name and 
address binding varies with the length of domain name. For a simple estimation, it can be reasonably 
assumed that on the average, a host name and address binding requires about 100 bytes of memory. As a 


result, the default cache size allows storing about 320 name/address bindings. The lifetime of a cache 
entry is the TTL (Time-To-Live) value returned by the DNS server, typically in order of hours. 


To make the DNS relay/proxy function as a simple relay without cache, use the following command in 
global configuration mode: 


CLI (configure)> no ip dns-proxy cache 


To set the cache size to its default value, use the following command in global configuration mode: 





CLI (configure)> default ip dns-proxy cache 
4.22.2.3_ Configuring the Source Address of Relay Agent 
This address is used by the relay agent as the source address to relay DNS queries to DNS servers. To 
configure the source address to use, use the following command in global configuration mode: 
CLI (configure)> ip dns-proxy source-address <interface> 
The interface is the type and unit of the interface whose address will be taken. By default, the source 


address is not set. The address of the outgoing interface is used as the source address in relayed DNS 
query packets. 


To get back to the default behavior, use the following command: 


CLI (configure)> default ip dns-proxy source-address 
4.22.2.4 Configuring the Local Router to use DNS Relay/Proxy 


To enable the local router to use the same DNS relay/proxy, use the following command in global 
configuration mode: 


CLI (configure)> ip name-server 127.0.0.1 


To configure the domain name to use, use the following command: 





CLI (configure)> ip domain-name <domain-name> 
4.22.2.5 Learning DNS Server 


In some application cases, the DNS server is known via DHCP and/or IPCP (on PPP based connections). 
OneOS holds up to 4 learnt DNS server addresses. If one DNS server does not answer, the next one is 
queried. The following command in global configuration mode forces the DNS proxy to use the dynamically 
learnt DNS servers. 


CLI (configure)> ip dns-proxy dns-server learn 


To define the priority among the learnt DNS servers, use the following command in global configuration 
mode: 
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CLI (configure)> ip dns-proxy dns-server learn priority { dhcp | ipcp } 
Another way (exclusive from the previous one) to define the priority among the learnt servers is to use the 
following command in global configuration mode. The priority is given by the order of the given interfaces. 


CLI (configure)> ip dns-proxy dns-server learn from <interfacel> 
[ <interface2> [ <interface3 [ <interface4> ]]] 


When DNS resolution cannot happen because a DNS server is not yet learnt (for example the PPP 
connection to learn the DNS is not open because DNS resolution has not happened) a default DNS server 
address has to be provided such the DNS proxy can use this address as the default DNS server as long as 
it has not learnt a DNS server. 


CLI (configure)> ip dns-proxy dns-server learn default-server <ip-addr> 
Note: the default server address can be not valid (e.g. 1.1.1.1). In that case it is used only to open the 


connection to learn the DNS. When the default server address in valid, the default server gets the lower 
priority. 


To stop learning the DNS server addresses, use the following command in global configuration mode: 


CLI (configure)> no ip dns-proxy dns-server learn 


4.22.2.6 Configuring Client Addresses 


To limit the use of the DNS relay/proxy by one specific interface, use the following command in global 
configuration mode: 

CLI (configure)> ip dns-proxy proxy-address <interface> 
The interface is the type and unit of the interface allowed to use the DNS relay/proxy. By default, all the 
interfaces are allowed to use the DNS relay/proxy. 
To get back to the default behavior, use the following command: 


CLI (configure)> ip dns-proxy proxy-address any 


4.22.3 Statistics 


To view the DNS proxy cache content, use: 


show ip dns-proxy cache 


To clear the cache content: 


clear ip dns-proxy cache 


To show the servers used by the DNS proxy: 


show ip dns-proxy server 
4.22.4 Configuration Example 


In this example, hosts on the inside network use the address space 192.168.2.0/24. They are configured 
to use the DNS server 192.168.2.1, which is the address of the access router (FastEthernet 0/0). Two DNS 
servers are provided by the service provider. 
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The configuration script is as follows: 


interface FastEthernet 0/0 
ip address 192.168.2.1 
exit 


ip dns-proxy dns-server 1.1.1.8 1.1.1.9 
ip dns-proxy cache 100000 


ip name-server 127.0.0.1 
ip domain-name isp.com 


4.22.5 Statistics 


To display DNS relay/proxy statistics, use the following command: 


CLI> show ip dns-proxy statistics 
DNS proxy statistics: 


4 queries, 2 cached entries, 0 query failures 
0 pending UDP queries, 0 pending TCP queries 


4.22.6 Debug and Trace 


To enable DNS relay/proxy debugging, use the following command: 


CLI> debug ip dns-proxy 


To disable DNS relay/proxy debugging, use the no form of the above command. 
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4.23 VIRTUAL ROUTER REDUNDANCY PROTOCOL 


This section describes the main features of the Virtual Router Redundancy Protocol (VRRP). 


VRRP is a technique that enables a group of routers to form a single virtual router. The LAN clients 
configure the virtual router as their default gateway. 


Dedicated VRRP multicast packets are emitted periodically by the master of the group, thereby proving 
that it owns the virtual address. The other routers of the group are said to be backup routers. If no more 
packets are emitted for any reason, one backup router will declare itself as master. 


The election of a new master router is transparent to LAN clients that keep on using the same virtual IP 
address. 


VRRP is available for FastEthernet interfaces and VLANs of the OneOS-based routers. 


4.23.1 Features 


The VRRP implementation is compliant with RFC 2338. The implementation supports one virtual MAC 
address per Ethernet interface. Virtual MAC address setting is optionally configurable: by default the MAC 
address toggles between the virtual address when the router is master, and the physical address when the 
router is backup. This address toggling can be disabled by configuration. In addition it is automatically 
disabled if more than one Virtual Router is configured on an interface. 


On OneAccess router switch interfaces, be aware of the following: a single MAC address is supported for 
all the physical and VLAN interfaces of the switch. So if a Virtual Router is configured on one of the 
interfaces of the switch, the virtual MAC address will apply also on all the other interfaces of the switch 
when the Virtual Router becomes master. 


An alternate MAC address behavior can be optionally enabled on the switch interface. By default this 
behavior is disabled. When enabled, each interface of the switch owns its own MAC address 
independently of the others, and the MAC addresses never toggle between virtual and physical ones, 
whatever the master/backup state of the Virtual Router(s): the master Virtual Routers are accessed via 
their virtual MAC addresses, and simultaneously the real router is accessed via the physical MAC 
addresses. 


4.23.2 Configuration Commands 


A Virtual Router is configurable per interface and per virtual router identifier. It is not possible to configure 
the same virtual router identifier on several interfaces. 


4.23.2.1 Virtual Router IP Address 


To set the virtual router address to an interface and a virtual router identifier and start running a VRRP 
daemon, use the following command in interface configuration mode: 


CLI (config-if)> vrrp <vrid> [address <virtual-router-ip-address> 
[<mask>]] 


The main virtual address is the first set on the interface, while secondary addresses follow the 
configuration order. 


It is authorized, but not recommended, to use the same address as a real address and as a virtual 
address, thus occasioning duplicated addresses with two boxes alive. The address part of the command 
must be provided the first time for virtual router configuration. Then, the CLI enters in VRRP configuration 
mode. Only enter 'vrrp <vrid>' when you wish to modify some parameters for the VRRP configuration 
referenced by <vrid>. 


To delete an IP address, use the 'no' form of the above command. 
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4.23.2.2 Virtual MAC Address 
By default and if supported by the interface (see 4.11.4), a single virtual MAC address is enabled on the 
interface. It is required to disable this MAC address if more than VRID is supported. The command is: 
CLI (config-if-vrrp)> [no] virtual mac-address 


If the multi-MAC-address option is configured, the [no] virtual mac-address command is no more 
needed, is not applied, and is not displayed in the running configuration. 


4.23.2.3 Setting a Priority of a Router 
To set priority to an interface and a virtual router identifier, use the following command in VRRP 
configuration mode: 
CLI (config-if-vrrp)> priority <1-255> 
The higher the priority, the higher the router is able to be master within a virtual group. Setting to 255 will 
force the router to be master. 


To reset priority to the default priority (100), use the 'no' form of the above command. 
4.23.2.4 Preemption 


To prevent a router from being master because it has a higher priority than the other routers of the group, 
use the following command in VRRP configuration mode: 


CLI (config-if-vrrp)> no preempt 


However, if no messages are received on the configured interface, it will become master. 


To come back to default preemption mode, or change the default preemption timer, use the following 
command: 


CLI (config-if-vrrp)> preempt <1-3600> 
4.23.2.5 Advertisement Timer 


To configure the advertisement timer to an interface and a virtual router identifier, use the following 
command in VRRP configuration mode: 


CLI (config-if-vrrp)> timer advertise <1-3600> 


The timer must be given in seconds. 


To reset the advertisement timer to the default value (1 second), use the 'no' form of the above command. 
4.23.2.6 Timer Learning 


To learn the advertisement timer of the current master of the virtual group, use the following command in 
VRRP configuration mode: 


CLI (config-if-vrrp)> timer learn 


Router will then change its advertisement timer to the same as the master one. 


To prevent from learning and to reset to the default behavior, use the 'no' form of the above command. 
4.23.2.7 Authentication Password 


To enable simple text authentication within VRRP packets, use the following command in VRRP 
configuration mode: 


CLI (config-if-vrrp)> authentication <password> 


To disable authentication, and reset to the default behavior, use the 'no' form of the above referenced 
command. 
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4.23.2.8 Monitoring Interface 


The VRRP router can be monitored using a different interface from that where the VRRP router is defined. 
The following command defines the interface where messages for virtual router monitoring are exchanged, 
beginning in VRRP configuration mode: 


CLI (config-if-vrrp)> monitoring-interface { 
Ethernet <slot>/<port>[.<vlan-if>] | 
FastEthernet <slot>/<port>[.<vlan-if>] | 
Serial <slot>.<port> | 
Tunnel <tunnel-id> } 


4.23.2.9 Tracking Interface 


Usually, the VRRP routers communicate using LAN interfaces. If the WAN link fails, it makes then sense to 
swap router priorities so that the router with an operational WAN link becomes the active router. 


The following command defines the interface where status is monitored. When the interface becomes 
down, the VRRP router priority decreases by 20. If the interface is up again, the VRRP router recovers its 
default priority: 


CLI (config-if-vrrp)> tracking-interface { 
Loopback <port> | 
Atm <port>[.<subif>] | 
FastEthernet <slot>/<port>[.<vlan-if>] | 
Serial <slot>.<port> | 
Tunnel <tunnel-id> } 


4.23.2.10 Tracking List 


Alternatively, instead of tracking an interface state, the router priorities can be swapped according to 
events monitored by a dialer watch-list. In this list you can define a combination of interfaces and/or routes 
whose status has to be monitored. When the watched item(s) is (are) down (loss of route(s) and/or 
interface(s) status down) the VRRP router priority decreases by 20, thus permitting the peer VRRP router 
to take precedence. When the watched condition is up again, the VRRP router recovers its configured 
priority. 


You can optionally define a delay before the down (respectively up) status of the watched list is confirmed 
and signaled. The default values of the up and down delay is 30 seconds. 


CLI (config-if-vrrp)> tracking-list <dialer watch-list name> [ <up-delay> 
[<down-delay>]] 
You configure a dialer-watch-list at the global configuration level by the following command (see 4.3.13.3 - 
Dialer Watch-List): 
CLI (configure)> dialer watch-list [ logical-any | logical-all ] <list 


name> 


4.23.2.11 Sending SNMP Traps 
Whenever a VRID has a state change (master/idle), a trap can be issued. To activate trap sending: 
CLI (configure)> [no] snmp traps vrrp 
4.23.3 Configuration Examples 


This section includes two examples showing how to configure: 
e Abasic VRRP topology. 
e Load sharing with redundant VRRP topology. 
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4.23.3.1 Basic VRRP Topology 


The following example shows a simple LAN topology in which VRRP is configured. In this example, 
Routers A and B are VRRP routers (routers running VRRP) that form a virtual router. The IP address of the 
virtual router is the same as that configured for the FastEthernet interface of Router A (10.0.0.1). 


Virtual router group 1 
IP=10.0.0.1 





LAN clients, 
Default gateway: 
gw=10.0.0.1 ’ 


The configuration script is as follows for router A: 






































interface FastEthernet 0/0 
ip address 10.0.0.2 255.255.255.0 
vrrp 1 
address 10.0.0.1 255.255.255.0 
timers advertise 2 
priority 150 
exit 
exit 


The configuration script is as follows for router B: 


interface FastEthernet 0/0 
ip address 10.0.0.3 255.255.255.0 
vrrp 1 
address 10.0.0.1 255.255.255.0 
timers learn 
exit 
exit 


A is always master, except when unavailable. 
4.23.3.2_ Load Sharing with Redundant VRRP Topology 


In this topology, two virtual routers are configured. 


For virtual router 1, Router A is the owner of IP address 10.0.1.2 and the master virtual router, Router B is 
the backup virtual router to Router A. Two clients are configured with the default gateway IP address of 
10.0.1.1. 


For virtual router 2, Router B is the owner of IP address 10.0.2.2 and master virtual router, and Router A is 
the backup virtual router to Router B. Two clients are configured with the default gateway IP address of 
10.0.2.1. 


Router C is linked to router A and B, via two ATM links. It is informed using the RIP routing protocol of 
which route is best to reach the two 10.1.2.0/24 and 10.1.1.0/24 sub-networks. 


When router A is master for virtual router 1 and B is master for virtual router 2, the two sub-networks are 
routed to the two respective ATM links. 


If router B fails, then router A is becoming master for virtual router 2, and adds as a secondary address 
10.1.2.1. Both redundant routers send RIP routes with the same metric to the gateway C. 


If router B has been reset, then the two routes 10.1.2.0 will be available for a certain time at gateway C. 
However, if router B is still available, and that virtual router 2 is backup (for example if a priority change 
occurred), all RIP routes to the backup interfaces are removed, thus informing gateway C of the sudden 
change in routing information. 
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The configuration script is as follows for router A: 


no virtual mac-address 
interface FastEthernet 0/0 
ip address 10.0.1.2 255.255.0.0 
vrrp 1 
address 10.0.1.1 255.255.255.0 
authentication groupl 
priority 150 
exit 
vrrp 2 
address 10.0.2.1 255.255.255.0 
authentication group2 
exit 
exit 


! here you configure pvc atm 

! optionally, rip helps inform fastethernet interface 
router rip 

no autosummary 

network 10.0.0.0 

! atm interface 

network 52.0.0.0 

exit 


The configuration script is as follows for router B: 


no virtual mac-address 
interface FastEthernet 0/0 
ip address 10.0.2.2 255.255.0.0 
vrrp 1 
address 10.0.1.1 255.255.255.0 
authentication groupl 
exit 
vrrp 2 
address 10.0.2.1 255.255.255.0 
authentication group2 
priority 150 
exit 
exit 


! here you configure pvc atm 

! optionally, rip helps inform fastethernet interface 
router rip 

network 10.0.0.0 

! atm interface 

network 53.0.0.0 

exit 
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The configuration script would be as follows for C gateway: 


! here you configure pvc atm 


! optionally, rip helps inform fastethernet interface 


router rip 

no auto-summary 
network 52.0.0.0 
network 53.0.0.0 


4.23.4 Statistics 
To display statistics about the existing virtual groups: 


CLI> show vrrp statistics 
Virtual Router Identifier 1 


IN: 3153 advertisements, 0 zero-priority advertisements 


0 bad length, O bad vrid, 0 time-to-live errors, 


0 bad type 


0 advertisement interval mismatch, 0 address mismatch 
0 bad authentication type, 0 authentication type mismatch 





QO authentication failures 


OUT: 3153 advertisements, 0 zero-priority advertisements 


1 times became master 





It is possible to clear VRRP statistics, using the following command: 


CLI> clear ip vrrp 


To display information about the existing virtual group: 


CLI> show vrrp vrid 1 
FastEthernet 0/0 - Group 1 
State is master 








Virtual IP address 10.0.0.1, Netmask 255.255.255.0 
Virtual Mac address is 00:00:5e:00:01:01 


Advertisement interval is 2 sec 





Preemption is enabled, min delay is 15 sec 


Priority 150 


Master Route is 10.0.0.1 (local), priority is 150 


(0) 


To display information about the existing VRRP configuration on any interface, use the following 


command: 


CLI> show vrrp interface fastethernet 0/0 





FastEthernet 0/0 - Group 1 
State is master 


Virtual Mac address is 00:00:5e:00:01:01 
Virtual IP address 10.0.0.1, Netmask 255.255.255.0 


Advertisement interval is 1 sec 
Preemption is enabled 
Priority 150 





Master router is 10.0.0.1 (local), priority is 150 


FastEthernet 0/0 - Group 2 
State is backup 





Virtual IP address 10.0.0.2, Netmask 255.255.255.0 
Virtual Mac address is 00:00:5e:00:01:02 


Advertisement interval is 1 sec 
Preemption is enabled 
Priority 100 





4.23.5 Debug and Trace 


To enable IP interface debugging, use the following command: 


CLI> debug ip vrrp 


To disable IP interface debugging, use the 'no' form of the above command. 


(0) 


(1) 
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4.24 ICMP ROUTER DISCOVERY PROTOCOL (IRDP) 


4.24.1 Introduction 


This section describes the main features of the ICMP router Discovery Protocol (IRDP). 


IRDP is a technique that enables a group of hosts to discover the router that serves as their default 
gateway. When a gateway fails, the LAN clients are able to discover a new gateway. 


Dedicated IRDP advertisement messages are emitted periodically by routers with advertising interface 
enabled, thus telling hosts on the local sub-network that the router is a valid gateway for a defined duration 
of time. 


Rather than waiting for advertisement messages, LAN clients can send solicitation messages. IRDP 
solicitation messages are immediately processed and permit remote hosts to update their routing 
information faster than with a standard routing protocol IRDP is available for all interfaces supporting 
broadcast and/or multicast. 


The IRDP implementation is compliant with RFC 1256. 


4.24.2 Configuration Commands 
IRDP is configurable in interface configuration mode. 
4.24.2.1_ Enabling IRDP 


To enable IRDP on an interface and listening to IRDP messages, use the following command in interface 
configuration mode: 


CLI (config-if)> ip irdp enable 
IRDP advertisements are sent periodically, according to IRDP timer configuration. 


4.24.2.2_ Configuring Hold Time 


The IRDP hold time is the number of seconds that the router address can be considered valid. To 
configure hold time, use the following command in interface configuration mode: 


CLI (config-if)> ip irdp holdtime <0-9000> 


To reset hold time to its default value, use the following command in interface configuration mode: 


CLI (config-if)> no ip irdp holdtime 


Default value is 1800 seconds. 
4.24.2.3. Configuring Advertisement Interval 


To configure the interval between emitted advertisements messages, the RFC recommends randomizing 
emission, thereby reducing the probability of synchronization with the advertisements from other routers. 


Advertisement interval is chosen between the two below intervals, and is expressed in seconds. 


CLI (config-if)> ip irdp minadvertinterval <3-1800> 
CLI (config-if)> ip irdp maxadvertinterval <4-1800> 


However, it is possible to strictly configuring a period, by using the same _ interval for 
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minadvertinterval and maxadvertinterval. 


The default minadvertinterval and maxadvertinterval values are respectively 450 and 600 
seconds. To reset to default value, use the following commands in interface configuration mode: 


CLI (config-if)> no ip irdp minadvertinterval 


CLI (config-if)> no ip irdp maxadvertinterval 
4.24.2.4 Configuring Preference 


It is possible to associate the sending router's IP addresses on the interface from which this message is 
sent, with a preference level. The higher the preference level, the more preferable the addresses are 
elected by the hosts. 


To configure preference, use the following command in interface configuration mode: 
CLI (config-if)> ip irdp preference <-2147483648 ... 2147483647> 


To reset preference to default value (0), use the following command in interface configuration mode: 


CLI (config-if)> no ip irdp preference 
4.24.2.5 Broadcast/Multicast Emission 


It is possible to force advertisement message encapsulation within broadcast packets. Use the following 
command in interface configuration mode to: 


CLI (config-if)> no ip irdp multicast 


To reset emission to multicast, use the following command in interface configuration mode: 


CLI (config-if)> ip irdp multicast 


4.24.3 Configuration Examples 


The following example shows a simple LAN topology in which IRDP is configured. In this example, Routers 
A and B send advertisements messages and present their own interface addresses. 





LAN clients, 
Default gateway: 
gw=10.0.0.2 mt jm 


The configuration script is as follows for router A: 






































interface FastEthernet 0/0 
ip address 10.0.0.2 255.255.255.0 
ip irdp minadvertinterval 30 
ip irdp maxadvertinterval 60 
ip irdp holdtime 45 
ip irdp preference 10 
ip irdp enable 
exit 


The configuration script is as follows for router B: 
interface FastEthernet 0/0 
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ip address 10.0.0.3 255.255.255.0 
ip irdp minadvertinterval 30 

ip irdp maxadvertinterval 60 

ip irdp holdtime 45 

ip irdp enable 

exit 


While A is present, A is always accepted by LAN clients, as A’s preference is bigger than B’s. However if A 
is not present, then, LAN clients choose B as new gateway. 


4.24.4 Statistics 


To display statistics about the existing IRDP interfaces: 


CLI> show ip irdp 
FastEthernet 0/0: router discovery enabled 

advertisements multicast sent between 30 and 60 sec. 
validity 45 sec. no preference configured 

IN: solicitations 3 (bad 0) 

OUT: advertisements 10 (answers 3, broadcast 0, multicast 7) 





It is possible to clear IRDP statistics, using the following command: 


CLI> clear icmp counters 
4.24.5 Debug and Trace 


To enable IRDP debugging, use the following command: 


CLI> debug ip irdp 


To disable IRDP debugging, use the 'no' form of the above command. 
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4.25 


IP SERVER LOAD BALANCING 


The purpose of Server Load Balancing is to distribute the load over several servers when processing a 
large number of client requests. 


The benefits of Server Load Balancing (SLB) are the following: 


- Higher performance and scalability: as the load is shared among multiple servers, a high number of 
requests can be processed. The system is scalable; a new server can be installed to manage increased 
performance requirements (instead of replacing the server by a larger machine, thus requiring longer 
service outage and more investment). 


- Higher service availability: if a server is not operational, client requests are forwarded to other operational 
servers. Therefore, the service remains available provided that the required load does not exceed the 
capacity of remaining servers. 


Typical Architecture of SLB: 

It is made up of: 
e Aserver farm, which gathers several (real/physical) servers (server 1, 2, 3...). 
e = A virtual server which will represent the server farm to the outside world. 


e The Load Balancer (SLB Router), which implements the virtual server and distributes the 
connections to the servers’ member of the server farm. 


Server 1 Server 2 Server 3 
20.1.1.44 20.11.23 20.1.1.103 





20.1.1.0 






20.1.1.20 














SLB Router 
192.168.2.9 
192.168.2.0 
Clients ry 
——=—] 
192.168.2.11 192.168.2.X 


When the SLB router receives a client request, OneOS-based router uses a scheduling algorithm to decide 
which server the client shall establish a dialog with. The router memorizes the session parameters for that 
client allowing packets to and from that client to always follow the same path. This guarantees that the 
client always dialogs with the same physical server. 
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4.25.1 Features 
4.25.1.1 Scheduling Algorithms 


The OneOS SLB provides the following scheduling algorithms: 


- Weighted round robin: each server has an associated weight n; new connections are assigned to the 
server n times before choosing the next server in the farm. 


- Weighted least connections: each server has an associated weight n. Using this weight, the relative 
capacity of this server is calculated as n/(n1 + n2 + n3 +...). A new connection is assigned to the server 
with the fewest active connections relative to its capacity. 


4.25.1.2_ Automatic Server Failure Detection 


SLB automatically detects failed TCP connections to a physical server and counts them. If a failure 
threshold is exceeded then the server is declared out of service and is removed temporarily from the list of 
active servers. 


4.25.1.3. Automatic Un-fail 


After a failed server is removed from the list of active servers, no connections are allocated to that server. 
After a configurable retry period, if the server is successfully tested, then the server is added back to the 
list of active servers. Otherwise, the server will wait for another retry period. 


4.25.1.4 Client-Assigned Load Balancing 


For a virtual server it is possible to restrict access by specifying a list of allowed clients. This can be used 
to redirect the requests of a set of clients to a virtual server, and the requests of other clients to another 
virtual server. 


4.25.1.5 Delayed Removal of TCP Connection Context 


Because SLB uses NAT, it benefits from this feature: the removal of sessions can be delayed even though 
the SYN_CLOSE message was intercepted. 





4.25.1.6 Maximum Connections - Maximum Clients 


The maximum number of simultaneous connections or clients per physical servers can be configured. If 
this number is reached for a specific server and if another server is not available, then the incoming 
connections will be dropped. This configuration parameter limits the impact of some malicious attacks. 


4.25.1.7 Server NAT 


The implementation of SLB uses a specific NAT mechanism called "server NAT". The destination address 
of the incoming packets is rewritten with the address of a physical server. This imposes some restrictions 
on network topology: all packets coming from the physical servers must transit through the SLB router as 
wells as those addressed to the SLB clients. 


4.25.1.8 Server Port Translation and Port-Bound Servers 


A virtual server can be configured to handle the requests only for a specific TCP or UDP port. In this case 
the physical servers will also listen to a configured port and the destination port from the incoming packets 
will be translated to the real server port (the destination address will be translated to the physical server 
address - see Server NAT). The difference with classical SLB is the fact that load-balancing is done for 
specific application ports. Packets that are addressed to different ports of the virtual server are not 
redirected. 


OneOS SLB supports both port-bound and non-port-bound servers. 
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4.25.1.9 Sticky Connections 


Sometimes, a client transaction can require multiple consecutive connections, which means new 
connections from the same client IP address or subnet must be assigned to the same real server. 


4.25.2 Configuration 


The configuration is done in 2 steps: 
1. Aserver farm must be configured. 
2. Avvirtual server must be configured. 


The virtual server address must be configured either as a loopback address or as a secondary IP address. 
4.25.2.1_ Server Farm Configuration 


CLI (configure)> ip slb serverfarm <farm-name> 


Creates a server farm, then, the scheduling algorithm can be selected. By default, the weighted round 
robin algorithm is used. If the 'weighted least connections’ is used instead, the following command must be 
entered: 


CLI (slb-serverfarm) > predictor leastconns 


To return to default value, enter 'no predictor’. A server farm is composed of several real servers. 
4.25.2.2_ Real/Physical Server Configuration 


The following commands add a real server to the server farm and authorize the SLB router to distribute 
load to that server: 


CLI (slb-serverfarm)> real <ip-address> [<port>] 
CLI (slb-real-serv)> inservice 


Additionally to the address of the server, a server port can be optionally configured. All connections to the 
real server will be redirected to the specified server. This works in tandem with port-bound virtual servers. 
To delete a real server, use "no real <address> [<port>]" 


Several parameters can be configured in this configuration mode: 


weight <1-255> - Relative weight in the server farm. The bigger the weight, the more connections will 
be allocated to the real server. Default: 8 


maxclients <0-2000> - Maximum number of clients the real server will manage simultaneously. If 
additional clients try to connect, the connections fail. The clients are actually the different IP addresses 
connected to the SLB router. Please note that the client management functions only when the virtual 
server associated with this real server, is configured to have sticky connections. If the sticky option is off, 
the clients are not counted. Default: 2000 


maxconns <0-2000> - Maximum number of simultaneous connections; additional connections will be 
refused. Default: 65,535 (in other words, almost unlimited) 


faildetect numconns <1-255> - When the number of consecutive failed connections has reached 
this value, the server is declared SERVER_DOWN and no further connections will be redirected for the 
retry period. Default: 8 


faildetect numclients <1-8> - Similar to the above command, this represents the number of 
consecutive failed connections coming from different clients. Default: 2 


retry <1-3600> - The retry period in seconds. After a server is declared SERVER_DOWN, clients 
request are no longer sent to that server. After "retry" seconds, the server is tested and if successful, it is 
declared OPERATIONAL again. Otherwise the server remains SERVER_DOWN for another "retry" period. 
Default: 60 


inservice - Enables the server. The "no inservice" command disables the server. 
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"no weight", "no maxclients", "no faildetect numconns" etc., will set the default values for 
the respective parameters. 


4.25.2.3 Virtual Server Configuration 


A simple TCP configuration: 


CLI (configuration)> ip slb vserver vserverl 
CLI (slb-vserver)> virtual 192.168.2.191 tcp 
CLI (slb-vserver 
( 
( 


)> serverfarm farml 
CLI (slb-vserver)> inservice 
CLI (slb-vserver)> exit 


For a virtual server, the following parameters must be configured: 
A virtual address and protocol (optionally a port): 
CLI (slb-vserver)> virtual <address> <tcp | udp> [<port>] 
The incoming connections with the protocol, port and IP address of the virtual server will be redirected 
using the SLB algorithm. 
A server farm name must be provided as follows: 
CLI (slb-vserver)> serverfarm <name> 


The virtual server will use the actual servers declared in the specified server farm. The server farm must 
be previously declared. 


Optionally, the following parameters can be configured: 


sticky <0-65535> - All connections coming for the same IP address will be redirected to the same real 
server if this option is configured. The parameter sets the period in seconds during which the (client-real 
server) mapping will be active after the connection closing. A value bigger than 0 means that the mapping 
will be active for the specified period even if there are no more active connections. When a new connection 
is requested, it will be redirected to the same real server. To disable sticky connections, use 'no sticky’. 
The default behavior is 'no sticky’. 


clients <ip address> <net mask> - only the specified clients are allowed to connect to SLB, the 
other connections will be dropped. 


idle <0-65535> - (for TCP connections only) Period of time (in seconds) during which the connection is 
considered operational when there is no traffic. Default value: 3600. 


delay <0-655535> - (for TCP connections only) Period of time (in seconds) during which the connection 
is considered active even after SYN_CLOSE is received; this enables delayed packets to be correctly 
redirected. Default value: 60. 





inservice - will enable the virtual server. The virtual server is out of service until this command is 
explicitly entered. To stop a virtual server, use "no inservice". 


To delete a virtual server, use "no ip slb vserver <name>" 
4.25.2.4 Port Bound Servers 


A server can be configured to accept traffic only on a port. 
To configure this service, use the complete form of the virtual command: 


CLI (slb-vserver)> virtual <address> <tcp | udp> <port> 


This command can be used in tandem with real server port redirection. 


4.25.3 Show commands 


To show the general statistics, use the following command: 
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CLI> show ip slb stats 


To show the list of active connections, which can be filtered by virtual server or client, use the command: 


CLI> show ip slb conns [client <ipaddress> | vserver <name>] 


To display information about a server farm, use the following command: 


CLI> show ip slb serverfarm <name> 


To display information about real servers, use the following command: 


CLI> show ip slb reals [vserver <name>] 


To display information about virtual servers, use the following command: 


CLI> show ip slb vserver [name <name>] 


To display information about sticky connections, use the following command: 


CLI> show ip slb sticky [client <ipaddress> | vserver <name>] 


4.25.4 Clear commands 


To clear all the active SLB connections, use the following command; optionally it can clear only the 
connections for a specific virtual server. 


CLI> clear ip slb conns [vserver <name>] 


To clear all the active sessions, use the following command. The session table is active only in case of 
virtual servers with the sticky option enabled. Each session represents a single client (IP address). This 
command will also clear the connections for the specified virtual server. 


CLI> clear ip slb sessions [vserver <name>] 


To reset the general counters of SLB, use the following command: 


CLI> clear ip slb counters 


4.25.5 Configuration Example 


A basic configuration: two server farms, one with 3 real servers and one with 2. 


ip slb serverfarm PUBLIC 
predictor leastconns 
real 10.1.1.1 

faildetect numconns 4 
retry 30 

inservice 

exit 


real 10.1.1.2 
faildetect numconns 4 
retry 30 

inservice 

exit 


real 10.1.1.3 
faildetect numconns 4 
retry 30 

inservice 

exit 


exit 
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ip slb serverfarm RECTRICTED 
real 20.1.1.1 

faildetect numconns 6 

retry 60 

inservice 

exit 


real 20.1.1.2 
faildetect numconns 6 
retry 60 

inservice 

exit 

exit 


ip slb vserver PUBLIC_HTTP 
serverfarm PUBLIC 

virtual 100.0.0.1 tcp 80 
idle 120 

delay 5 

inservice 

exit 


ip slb vserver RESTRICTED_HTTP 
serverfarm PUBLIC 

virtual 100.0.0.1 tcp 80 

idle 120 

delay 5 

clients 200.1.1.0 255.255.255.0 
sticky 60 

inservice 

exit 


In this example, the first virtual server (Public HTTP) is accessible to everyone and the second (Restricted 
HTTP) is only accessible by clients specified in the 200.1.1.0/24 address range. 


The other types of TCP or UDP connections are not managed by the SLB service but by the normal 
services of the router. The remaining traffic being not managed by the SLB service, packets are processed 
through NAT, ACL ...and so on. By default NAT is "bypass-all". If we don't want packets to pass through 
the router, we can configure an access-list that will deny all other incoming connections, so only the SLB 
connections will be accepted; this is achieved as follows: 


ip access-list standard denyall 
deny all 
exit 


interface ethernet 0/0 


ip access-group denyall in 
exit 
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4.26 


4.26. 


ROUTING INFORMATION PROTOCOL (RIPV1 AND RIPV2) 


This section describes the main features of the Routing Information Protocol (RIPv1 and RIPv2) and its 
configuration. 


1 Features 


The Routing Information Protocol is a mature but still commonly used Interior Gateway Protocol (IGP) 
defined for use in small, homogeneous networks, it is a classical distance-vector routing protocol. RIP 
(version 1) was first documented in RFC 1058; version 2 extensions are in RFC 2453. 


RIP uses broadcast (version 1) or multicast (version 2) User Datagram Protocol (UDP) data packets to 
exchange routing information. By default, RIP sends routing information updates every 30 seconds. This 
process is termed advertising. If a router does not receive an update from another router for 180 seconds 
or more, it marks the routes served by the non-updating router as being unusable. If the router has not 
been updated after 300 seconds, the router removes all routing table entries for the non-updating router. 


The metric that RIP uses to rate the value of different routes is a hop count. The hop count is the number 
of routers that a packet must traverse to reach the destination using a given route. A directly connected 
network has a metric of one; an unreachable network has a metric of 16. This very limited range of metrics 
makes RIP unsuitable for large networks. 


If the router has a default network path, RIP advertises a route that links the router to the pseudo network 
0.0.0.0. The network 0.0.0.0 does not exist; RIP treats 0.0.0.0 as a network to implement the default 
routing feature. The default network will be advertised if it was learned by RIP, or if the router has been 
configured to generate a default route. 


RIP sends routing updates to the interfaces directly connected to the specified networks. No routing 
updates will be advertised to, or received from the interfaces that do not belong to the specified networks 
in RIP. 


The implementation of RIP Version 2 supports plain text and MD5 authentication. 


4.26.2 Configuration Commands 


4.26.2. 


To configure RIP, the user should complete the tasks in the following sections. First enable RIP; the 
remaining tasks are optional. 


1 Enabling RIP 


RIP can be enabled or disabled on a network, in other words, interface(s). To do so, one must specify the 
network address by using the following commands in global configuration mode: 


CLI> configure terminal 
CLI (configure)> router rip 
CLI (router-rip) network <ip-address> 





The first command places the user in router configuration mode. The second command enables the RIP 
routing process on the interfaces which belong to the given network address. The parameter IP address 
must be the network address of a directly connected network. The network number specified should not 
contain any subnet information. There is no limit to the number of network commands that can be entered 
on the router. 


Once RIP is enabled on a network, RIP routing updates will be sent and received through the interfaces of 
that network. Also the interfaces without network addresses will not be advertised by any RIP update. To 
remove an entry, use the no form of this command. 


The following command in router configuration mode allows user to disable the sending of routing updates 
on a specific interface: 


CLI (router-rip)> passive-interface <type> <unit> 
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The default behavior is to send routing updates on an interface on the specified networks. To return to the 
default behavior, use the no form of this command. 


4.26.2.2 Adjusting Timers 


RIP makes use of several timers to control the frequency of routing updates and the interval to drop 
obsolete routes, for example. Users can adjust these timers to tune routing protocol performance to better 
suit the needs of their own network environment. The following timers can be adjusted: 


e —_ Time interval (in seconds) at which routing updates are sent (default is 30 seconds). 


e Time (in seconds) after which a route is declared invalid if no routing updates are received 
(default is 180 seconds). 


e Time (in seconds) after which an invalid route is removed from the routing table (default is 300 
seconds). 


To adjust these timers, the user should run the following command in router configuration mode: 
CLI (router-rip)> timer basic <update-timer> <invalid-timer> <flush- 


timer> [<hold-down-timer>] 


Use the default form of the above-referenced command to restore the default values. 


4.26.2.3. Setting RIP Versions 


By default, the software receives and sends RIP v2 packets. The user can configure the software to 
receive and send only v1 packets. To specify a RIP version to be used globally (for all interfaces) by the 
router, the user can run the following command: 


CLI> configure terminal 
CLI (configure)> router rip 
CLI (router-rip)> version <1-2> 





The default form of the above-referenced command restores the default value. 


The user can override the value configured by specifying another version for a particular interface. To 
control the RIP version in which RIP updates are sent to an interface, the user can run the following 
commands in interface configuration mode: 


CLI> configure terminal 
CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip rip send version <1-2> 





Similarly, to control the RIP version in which RIP updates are received from an interface, the user can run 
the following command in interface configuration mode: 


CLI> configure terminal 
CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip rip receive version <1-2> 





Use the default form of the above-referenced commands to return to the global version. 
4.26.2.4 Configuring Authentication 


RIP v1 does not support authentication. RIP v2 supports authentication of packets sent and received from 
an interface. 


A single mode of authentication is currently provided on an interface for which RIP authentication is 
enabled: plain text authentication. 


Before enabling RIP authentication on a specific interface, the user must define a key string in global 
configuration mode: 


configure)> key chain <key-chain-name> 
config-keychain)> key <key-id> 
config-keychain-ke)> key-string <key-string> 
config-keychain-ke)> exit 

config-keychain)> exit 

configure)> exit 





LI ( 
LI ( 
LI ( 
LI ( 
LI ( 
LI ( 
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The first command places user in key chain configuration mode. The second command defines a key 
identified by a unique key number and places user in key configuration mode. By entering the key-string 
keyword, the user will be able to define the character string associated with this particular key. 


Restriction: only one key can be defined in a key-chain. 


To configure RIP authentication, the following command must be executed in interface configuration mode 
to enable RIP authentication on a specific interface: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip rip authentication key-chain <key-chain-name> 


4.26.2.5 Generating a Default Route into RIP 


To generate a default route into RIP, the following commands can be used: 
CLI (configure)> router rip 


CLI (router-rip)> default-information originate 


To disable this feature, use the no form of this command. 
4.26.2.6 Redistributing Routes 


For RIP to advertise routes learnt via other techniques than RIP, run the following command starting in 
router configuration mode: 


CLI (router-rip)> redistribute { connected | static | bgp | ospf } [ 


metric <0..16> ] [ route-map <route-map-name> ] 


connected designates routes that are directly connected. static indicates routes configured via static 
routing. bgp and ospf indicates that routes, learnt via BGP or OSPF, are redistributed by RIP. The 
metric argument provides the metric associated with the injected routes. The default metric is 1. 


You can optionally use route maps to advertise only certain routes. Route maps are a global mechanism 
for routing protocols that enables the filtering of undesired routes. As route-maps can be used for BGP, 
RIP and OSPF, some configuration commands for route maps are only relevant for certain protocols 
(mostly BGP), hence the fact that they are detailed in each section for every routing protocols. 


4.26.2.7 Route Filtering 


To control and filter routes advertised via RIP, OneOS offers route-maps and distribute-lists. As seen in 
4.26.2.6, route-maps are applied on redistributed routes. Route-maps select the injected routes that are 
allowed to be advertised by RIP and modify the route attributes. Distribute-lists are used to control which 
routes are advertised to interfaces. 


Both mechanisms require filtering that is either based on access-lists or prefix-lists. 
4.26.2.7.1 Filtering Based on Access Lists 
Such filtering is based on standard access lists. When using access-list for route filtering, access-lists have 


a special behavior: 


e The default route is written as follows: 0.0.0.0 0.0.0.0 (e.g. a rule to deny the default route: deny 
0.0.0.0 0.0.0.0) 


e = All routes (=any route) is entered as follows: 0.0.0.0 255.255.255.255 


e There must be an exact match for the network; sub-networks are not matched (if you configure 
permit 10.0.0.0 0.255.255.255, 10.0.1.0/24 is not matched by this rule). 


Example: the following access list only selects 10.1.1.0/24 and the default route, and denies all other 
routes: 


ip access-list standard rtfilter 
permit 0.0.0.0 0.0.0.0 
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permit 10.1.1.0 0.0.0.255 
deny 0.0.0.0 255.255.255.255 
exit 


4.26.2.7.2 Filtering Based on Prefix Lists 


Prefix lists can be used as an alternative to access lists in many route filtering commands (e.g. BGP route 
filtering). A prefix list must be set up before using it in a command. The entries in the prefix list are 
automatically ordered the longest first so the most specific match is chosen. The following sections will 
describe the different commands that are available for creating and managing prefix lists. Finally the 
section 4.26.2.7.2.4 "How the System Filters Traffic by Prefix List" will give on overview on how the filtering 
is done when using prefix lists. 


4.26.2.7.2.1 Prefix List Creation 


To create a prefix list, use the ip prefix-—list command, beginning in global configuration mode: 


CLI (configure)> ip prefix-list <list-name> {deny | permit} 
<network>/<len> [ge <ge-value>] [le <le-value>] 
It creates a prefix list with the name specified for 1ist-name. The optional keywords ge (= greater or 
equal) and le (= less or equal) can be used to specify the range of the prefix length to be matched for 
prefixes that are more specific than network/length. An exact match is assumed when neither ge nor le is 
specified. The range is assumed to be from ge-value to 32 if only the ge attribute is specified, and from 
len to le-value if only the le attribute is specified. 


A specified ge-value and/or le-value must satisfy the following condition: 





len < ge-value <= le-value <= 32 


To create a prefix list you must enter at least one permit or deny clause. 


To remove a prefix list and all of its entries, use the 'no ip prefix-list' command, beginning in 
global configuration mode: 


CLI (configure)> no ip prefix-list <list-name> [{deny | permit} 
<network>/<len> [ge <ge-value>] [le <le-value>]] 
It removes the prefix list with the name specified for <list-name>. 


For example, to deny all prefixes matching /24 in 128.0.0.0/8, you would use: 
CLI (configure)> ip prefix-list foo deny 128.0.0.0/8 ge 24 le 24 


4.26.2.7.2.2 Showing Prefix Entries 


To display information about prefix tables, prefix table entries, the policy associated with a node, or specific 
information about an entry, use the following commands, beginning in global mode. 
To display information about all prefix lists: 


CLI> show ip prefix-list [detail | summary] 


To display a table showing the entries in a prefix list: 


CLI> show ip prefix-list <name> [detail | summary] 


To display the policy associated with the node: 


CLI> show ip prefix-list <name> [<network>/<len>] 


To display all entries of a prefix list that are more specific than the given network and length: 


CLI> show ip prefix-list <name> [<network>/<len>] longer 


To display the entry of a prefix list that matches the given prefix (network and length of prefix): 





CLI> show ip prefix-list <name> [<network>/<len>] first-—match 


4.26.2.7.2.3 Clearing the Hit Count Table of Prefix List Entries 
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To clear the hit count table of prefix list entries, use the next command, beginning in global mode: 


CLI> clear ip prefix-list <name> [<network>/<len>] 


It clears the hit count table of the prefix list entries. 
4.26.2.7.2.4 How the System Filters Traffic by Prefix List 


Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list. When there 
is a match, the route is used. More specifically, whether a prefix is permitted or denied is based upon the 
following rules: 


e An empty prefix list permits all prefixes. 
e Animplicit-deny is assumed if a given prefix does not match any entries of a prefix list. 
e When multiple entries of a prefix list match a given prefix, the longest, most specific match is chosen. 


The router begins the search at the top of the prefix list. Once a match or deny occurs, the router does not 
need to go through the rest of the prefix list. 


Filtering can be handled on the level of routing information and from different sources. To do that, several 
mechanisms are detailed in the following sections. 


4.26.2.7.3 Distribute-Lists 


Distribute-list controls the received/sent routes advertised via RIP. First, you must create an access- 
list/prefix-list as defined in the previous sections. Then, you can specify the distribute-list that is applied on 
all interfaces or on the specified interface. 


CLI (configure) > distribute-list <acl-name> {in | out} [ <interface> 
<unit>] 


4.26.2.7.4 Route Maps 


To define a route map use the following command, beginning from the global configuration terminal: 


CLI (configure)> route-map <map-tag> [permit | deny] [<sequence-number>] 


Where 


<map-tag> is a string identifying the route map. 

<sequence-number> is an integer indicating the relative position compared to other instances 
that define the route-map. When RIP applies a route-map instance to routing advertisements, it 
applies the lowest instance first. If the set of conditions is not met the next instance is used and so 
on until either a condition is met or there is no more condition to apply. We generally use ‘10’ as 
<sequence-number> when creating the route map and use increments of ‘10’ for the following 
route map sequence, so that you can insert easily other route map instances between already 
configured instances. 


Conditions are expressed using the match command that is defined as follows: 


CLI(configure-route-map)> match ip  {address|next—hop} {<access-list- 
number> | prefix-list <prefix-—list-—name>] 





When using the address keyword, the match clause applies the access/prefix list to the advertised 
network. When using the next-hop keyword, the match clause applies the access/prefix list to the next- 
hop of the advertised network. 


You can modify the metric of matching advertisements: 


CLI (configure-route-map)> set metric <metric> 


It sets the route metric. The command set metric [+|-—]<metric> is only supported for BGP. 


To add a specific offset value to the metrics learnt via a specified interface, use the following command in 
interface configuration mode. Refer to the Example in dialer watch chapter. 
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Q 


LI> configure terminal 
LI(configure)> interface <type> <unit> 
Li(config-if)> ip rip metric <offset> 


Q 





Q 


4.26.2.8 Triggered RIP 


When there is a change in the route database, it can be desirable to advertise immediately the change to 
the network. For example, a router with an ISDN backup can announce in this way, that an ISDN backup 
has been setup and remote routers update more rapidly their routing tables. 


Triggered RIP enables RIP to send updates only when changes appear in the route database thus 
preventing unnecessary advertisements of routing updates on links, which are charged for usage time. The 
command is the following: 


CLI (configure)> router rip 
CLI (router-rip)> trigger-interface { serial <slot>/<port> | bri 
<slot>/<port>.<if-id> } 





Triggered RIP is available only on serial and BRI interfaces. 


4.26.2.9 Administrative Distance 


The administrative distance defines the preference for routes that are learnt via different routing protocols. 
By default, RIP has an administrative distance of 120. To modify this distance, use: 


CLI (router-rip)> distance <1..255> 


Use the following command to reset the default distance: 





CLI (router-rip)> no distance 
4.26.2.10 RIP Update Filtering 


RIP update filtering enables the router to select route prefixes that are advertised globally and/or per 
interfaces. The command is the following: 


CLI (router-rip)> distribute-list <acl-name> { in | out } [ <interface> 
<unit>] 


If the optional arguments are not provided, the filtering applies to all (either incoming or outgoing) updates. 
The access lists are standard access lists. 


For incoming updates, the filtering is applied first per interface, then globally. For outgoing updates, the 
global distribute-list is applied first, then per interface. 


Example 1: Outgoing Update Filtering 
We only want to advertise networks included in 20.1.0.0/16 on the FastEthernet 0/0 interface. 


configure terminal 

ip access-list standard out_rip_acl 

permit 20.1.0.0 0.0.255.255 
exit 

router rip 

distribute-list out_rip_acl out fastethernet 0/0 
exit 


Example 2: Incoming Update Filtering 
We accept all networks except 10.20.2.0/24 on the FastEthernet 0/0 interface. 


configure terminal 

ip access-list standard in_rip_ acl 

deny 10.20.2.0 0.0.0.255 

permit any 
exit 

router rip 

distribute-list in_rip_acl out fastethernet 0/0 
exit 
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4.26.3 Configuration Example 


Routers "mozart" and "bach" both have an interface conn 
routing information between the two routers using RIPv2: 


192.168.2.0 


20.1.1.0 
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ected to network 20.1.1.0/24. To exchange 


10.1.2.0 



















































mozart bach 
ml 192.168.2.88 20.1.1.88 20.1.1.48 10.1.2.48 ml 
For router bach, the configuration commands are as follows: 
configure terminal 
router rip 
network 10.0.0.0 
network 20.0.0.0 
exit 
To display current routes: 
CLI> show ip route 
Codes: C connected, S static, R - RIP, O - OSPF, o - other 
C 0.0.0.1/32 is directly connected, Null 0 
C 10.1.2.0/24 is directly connected, Ethernet 0/0 
C 20.1.1.0/24 is directly connected, FastEthernet 0/0 
C 127.0.0.1/32 is directly connected, Loopback 0 
R 192.168.2.0/24 via 20.1.1.88, FastEthernet 0/0 








For router mozart, the configuration commands are as follows: 


configure terminal 
router rip 
network 192.168.2.0 
network 20.0.0.0 
exit 


To display mozart routes: 


CLI> show ip route 

















Codes: C connected, S static, R - RIP, O - OSPF, o - other 
C 0.0.0.1/32 is directly connected, Null 0 

R 10.1.2.0/24 via 20.1.1.48, FastEthernet 0/0 

C 20.1.1.0/24 is directly connected, FastEthernet 0/0 

C 127.0.0.1/32 is directly connected, Loopback 0 

C 192.168.2.0/24 is directly connected, Ethernet 0/0 


4.26.4 Statistics 


The following command displays the parameters and current state of the active routing protocol process: 
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CLI> show ip protocols 


This command does not have parameters or keywords. The information displayed by this command is 
useful in debugging routing operations. The following is sample output from the show ip protocols 
command: 


CLI> show ip protocols 

Routing Protocol is RIP 

Sending updates every 30 seconds, next due in 13 seconds 
Invalid after 180 seconds, flushed after 300 
Redistributing: RIP 

Default version control: send version 2, receive version 2 
Interface Send Recv Key-chain 

Ethernet 0/0 2 2 

FastEthernet 0/0 2 2 

Routing for Networks: 

20.0.0.0 

10.0.0.0 











The show ip rip database command displays RIP routing database entries: 


CLI> show ip rip database [<destination>] [<netmask>] 


Invoked without parameters, the command will display all routing entries in the database. The following is 
sample output from the ‘show ip rip database’ command: 


CLI> show ip rip database 192.168.2.0 255.255.255.0 
192.168.2.0/24 
[2] via 20.1.1.88, 00:00:16, 


CLI> show ip rip database 

192.168.2.0/24 

[2] via 20.1.1.88, 00:00:22, 

10.1.2.0/24 directly connected, Ethernet 0/0 
20.1.1.0/24 directly connected, FastEthernet 0/0 











The following command displays the number of RIP messages sent and received on an interface involved 
in the RIP routing process: 


CLI> show ip rip interface [<type> <unit>] 


Invoked without parameters, the command will display statistics for all the interfaces involved in the RIP 
routing process. The following is sample output from the ‘show ip rip interface’ command: 


CLI> show ip rip interface ethernet 0/0 

0 packets, O discards, 0 bad routes 
UT: 124 packets 

LI> show ip rip interface 

thernet 0/0 

0 packets, O discards, 0 bad routes 
UT: 125 packets 

Ethernet 0/0 

121 packets, O discards, 0 bad routes 
UT: 124 packets 








o@ 
“QD 
ct 








OHFOH FQOH 





The following command displays the total number of messages sent and received on all the interfaces 
involved in the RIP routing process: 


CLI> show ip rip statistics 


This command does not have parameters or keywords. The following is sample output from the command: 


CLI> show ip rip statistics 

IN: 130 packets, 0 discards, 0 bad routes 
OUT: 265 packets, 1 responses to queries 
3 route database changes 


4.26.5 Debug and Trace 


The following command enables logging of RIP routing transactions: 
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CLI> debug ip rip events 


The following is a sample of output from that command: 


0/0 





0/0 


Use the no form of this command to disable RIP routing transaction logging. 


The following command enables logging of RIP routing database changes. 


62253 
10.1. 
MOE22°3 
2.00 
LOe22% 
L6222°3 


16:22: 


42.599: 
2.48) 
42.599: 
1.48) 
42.600: 
42.600: 


9367.2) 


RI 


RI 
RI 





RI 


Ds 


RIP: 








sending v2 RESPONSE 

















sending v2 RESPONSE 





received v2 RESPONSE 








received v2 RESPONS 

















received v2 RESPONS 


CLI> debug ip rip database 


The following is a sample of output from that command: 


16:24: 
16:24: 
16:24: 


45.461: 
45.461: 
45.464: 


RIP-DB: 
RIP-DB: 
RIP-DB: 


to 224.0. 


to 224.0. 


from 10. 
from 20. 


from 20. 


via Ethernet 0/0 








via FastEthernet 0/0 


.48 on Ethernet 0/0 
-48 on FastEthernet 








-88 on FastEthernet 


adding route to 20.0.0.0/8 through 20.1.1.48 
adding route to 20.1.1.0/24 through 20.1.1.48 
adding route to 192.168.2.0/24 through 20.1.1.88 


The no form of this command disables logging of RIP routing database changes. 
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4.27 BORDER GATEWAY PROTOCOL (BGP-4) 


4.27.1 Introduction 


The Border Gateway Protocol (BGP) is an intelligent IP routing protocol that dynamically learns routing 
paths, builds/updates forwarding tables and selects the best path when forwarding packets between 
autonomous systems that compose the Internet (an autonomous system is a collection of networks that 
are managed by a single administrative authority). It has become the de-facto standard for inter domain 
routing protocol and has been deployed to overcome significant scalability limitations and stability issues 
experienced with former protocols. Customer networks, such as corporations, governmental agencies, 
usually employ an Interior Gateway Protocol (IGP) such as RIP or OSPF for the exchange of routing 
information within their networks and to connect to the Internet through ISPs. When BGP is used between 
autonomous systems (AS), the protocol is referred to as External BGP (eBGP) where the use of BGP to 
exchange routes within an AS is referred to as Interior BGP (iBGP; iBGP is also an IGP). 


To achieve a high level of robustness and scalability, BGP uses several routing update attributes, to select 
the best path(s) and maintain a stable routing environment. 


Classless inter domain routing (CIDR) is used by BGP to reduce the size of the Internet routing tables. 


Full routing information is exchanged between BGP neighbors only when the TCP connection is first 
established between them. When changes to the routing table are detected, the BGP routers send to their 
neighbors only those routes that have changed, which makes the BGP routing protocol stable and well 
suited for environment when a large number of routes must be managed. Each BGP router advertises 
routing updates to their neighbors, which in turn can be filtered to optimize routing information distribution. 


4.27.2 BGP Configuration Steps 


a) There are many options for BGP configuration. However, few steps are mandatory. They are: 
- BGP routing activation 
- BGP neighbor configuration 


b) Each routing update contains path information as well as some additional attributes that are used during 
BGP route selection process. You may want to force preference of certain paths. To achieve this goal, the 
solution is to select and filter routing updates and to modify the attributes of these filtered routing updates 
in order to influence the best path selection process. 


The powerful design of BGP enables a flexible filtering of inbound and outbound updates using a large 
variety of criteria. The rules for filtering are known as routing policies and use several types of filtering: 


e By AS path filters (all routing updates contain a string, which is an aggregate of all traversed 
AS. AS path filters are filtering rules for the selection of routes traversing certain AS) 


e —_ By prefix lists (routes filtered based on the prefix list) 


e ~—- By access lists 


The filtering and specific attribute modification is then handled in route maps. The so-called “distribute-list" 
enables the filtering of inbound and outbound updates. 


When applying a new routing policy, it becomes possible that some information stored in the BGP router 
becomes deprecated. This is because the new routing policy will not allow these routing updates to be 
received / emitted. Therefore, it becomes necessary to apply BGP connection resets. 


d) As BGP is an Exterior Gateway protocol, it is designed to scale on large networks. BGP routers may 
have to process large routing tables. Some BGP optimizations (such as flap dampening and route 
aggregation) can help in significantly reducing the amount of resources required by BGP. 
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4.27.2.1_ Required BGP Configuration Steps 


The tasks in this section are for basic BGP feature configuration. 


4.27.2.1.1| Enabling BGP Routing 


To enable BGP routing, use the following commands beginning in global configuration mode: 
Step 1 
CLI (configure)> router bgp <autonomous-system> 
CLI (config-router) > 
The autonomous-system is an integer value, uniquely designating the AS. The command creates a 
BGP routing process. The CLI enters in router configuration mode. 
Step 2 
CLI (config-router)> network <network>/<len> [ route-map <name>] 
The command sets a network as local to this autonomous system. In other words, this network is by de- 


facto entered into the BGP database. A route-map is applied when you need to apply some filtering (see 
4.27.11.3.3 for route-maps). 


Unlike in some other BGP implementations, a network is advertised even if it is not present in the IP 
routing table. 


4.27.2.1.2 BGP Neighbor Configuration 


As in any EGP protocol, a BGP router must have its neighbors declared. This task is required. 


BGP neighbors are either internal or external. If a neighbor is internal, the router uses the Interior BGP 
protocol and the neighbor is in the same AS. Otherwise, the router is external and managed in a different 
AS. 


To configure BGP neighbors, use the following command, beginning in router configuration mode: 
Step 1 
CLI (config-router)> neighbor <ip-address> 
CLI (config-router-neighbor) > 
The command selects the neighbor for which the configuration is to be entered. The CLI enters in neighbor 
configuration mode. 
Step 2 
Then, specify the AS of the BGP neighbor. 


CLI (config-router-neighbor) > remote-as <number> 
4.27.2.2_ Configuring TCP MD5 signature option for BGP sessions 


This TCP extension described in RF2385 allows protecting BGP sessions against spoofing attacks by 
including an MD5 digest acting as a signature in every TCP segment of a session. 


To enable this option for a BGP neighbor, use the following command, beginning in neighbor configuration 
mode or in peer-group configuration mode: 


CLI (config-router-neighbor)> password <password> [ <0-1> ] 
Where 'password' is a character string representing the clear text or encrypted password. The optional 
parameter specifies if the clear text password should be encrypted (0) or (1) if the password string 


represents the encrypted password. If the optional argument is not provided, the password remains stored 
in the configuration in clear text. 
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To disable this option use the following command: 


CLI (config-router-neighbor)> no password 


The show ip bgp neighbors <ip-address> command indicates if this option is enabled for a given 
neighbor: 


CLI> show ip bgp neighbors 192.168.2.2 
BGP neighbor is 192.168.2.2, remote AS 200, local AS 1, external link 
Member of peer-group bulls for session parameters 
BGP version 4, remote router ID 98.0.0.1 
TCP MD5 signature option is set for this neighbor 
BGP state = Established, up for 03:00:01 
Last read 00:00:01, hold time is 180, keepalive interval is 60 seconds 
Neighbor capabilities: 
Route refresh: advertised and received (old and new) 
Address family IPv4 Unicast: advertised and received 
Received 184 messages, 0 notifications, 0 in queue 
Sent 184 messages, 0 notifications, 0 in queue 
Route refresh request: received 0, sent 0 
Minimum time between advertisement runs is 30 seconds 














For address family: IPv4 Unicast 
bulls peer-group member 
1 accepted prefixes 


Connections established 1; dropped 0 
Local host: 192.168.2.1, Local port: 1026 
Foreign host: 192.168.2.2, Foreign port: 179 
Nexthop: 192.168.2.1 
Read thread: on Write thread: off 


The show tcp statistics command provides information about the number of TCP segments sent 
and received with the TCP MD5 signature option set. 


CLI> show tcp statistics 
TCP statistics: 
IN: 4679 total 
Q checksum error, O bad offset, 0 too short 
3147 packets (37045 bytes) in sequence 
0 dup packets (0 bytes) 
partially dup packets (0 bytes) 
out-of-order packets (0 bytes) 
packets (0 bytes) with data after window 
packets after clos 
window probe packets, 2 window update packets 
0 dup ack packets, O ack packets with unsend data 
3164 ack packets (39070 bytes) 
194 md5 packets, 0 invalid md5 
OUT: 4857 total, 0 urgent packets 
3 control packets 
3162 data packets (39068 bytes) 
0 data packets (0 bytes) retransmitted 
1692 ack only packets (915 delayed) 
0 window probe packets, 0 window update packets 
373 md5 packets 
6 connections established (including 3 initiated, 3 accepted) 
8 connections closed (including 0 dropped, 0 embryonic dropped) 
0 total rxmt timeout, O connections dropped in rxmt timeout 
291 keepalive timeout, 0 keepalive probe, 0 connections dropped in 
keepalive 








oe eORene) 








4.27.3 SNMP Traps 


When a BGP neighbor connection is lost or goes up, a trap can be sent if an event manager is configured 
and if the following command is entered: 
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CLI (configure)> snmp traps bgp 


4.27.4 BGP Peer Groups 


A BGP router is usually connected to multiple neighbor routers. In most cases, you may want to apply a 
common set of routing policies to these BGP peers. For that purpose, OneOS supports the creation of 
peer groups. Peer groups collect routing policies for a set of BGP peers. So, whenever you need to 
change a policy for each peers of the BGP router, you only need to do it once, in peer-group configuration. 
It is comparable with the concept of PPP virtual template. 


The only difference is that you can override parameters defined in peer-group configuration in neighbor 
configuration. By default, neighbors member of the peer-group inherit the peer-group parameters unless 
re-configured in neighbor configuration. 


The configuration of peer groups is achieved in three steps: 
1. Peer Group Creation 
2. Assignment of routing policy options 


3. Definition of neighbors, which are member of the peer group 
4.27.4.1_ Peer Group Creation 


A BGP peer group is created as follows, beginning in router configuration mode: 





CLI (config-router) > peer-group <peer-group-—name> 
4.27.4.2_Assignment of Routing Policies and Attributes 


The same routing attributes and filters are provided in neighbor configuration mode. 
To specify a BGP neighbor, use the following command: 


CLI (config-router-group) > remote-as <number> 


To associate a description with a neighbor, use the following command: 


CLI (config-router-group)> description <text> 


To allow a BGP speaker (the local router) to send the default route 0.0.0.0 to a neighbor for use as a 
default route, use the following command: 


CLI (config-router-group) > default-originate [route-map <map-—name>] 


To specify that the COMMUNITIES attribute is to be sent to the neighbor at this IP address: 


CLI (config-router-group) > send-community 


To allow internal BGP sessions to use any operational interface for TCP connections: 





CLI (config-router-group) > update-source <interface> <unit> 


To allow BGP sessions, even when the neighbor is not on a directly connected segment: 


CLI (config-router-group) > ebgp-multihop 


To set the minimum interval between emissions of BGP routing updates: 





CLI (config-router-group) > advertisement-interval <seconds> 
To limit the number of prefixes allowed from a neighbor, use the following command ('warning-only' 
permits to exceed this number of prefix but a log message is generated): 

CLI (config-router-group) > maximum-prefix <number> [warning-only] 
BGP uses the AS path to discover routing loops. In some network topologies, access routers exchange 
routing information via iBGP (in the same AS), but communicate through a backbone routing domain with a 


different AS number. Routing updates coming from the remote access routers have AS paths formed as 
follows: “AS(customer),AS(backbone)”. Such received update is normally dropped, because an update for 
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an intra-AS route is learnt via another AS. By default, no loop is permitted. The command ‘allowas-—in’ 
permits loops by providing the number of times the router's own AS number can appear in the AS path of 
received updates. 


CLI (config-router-group)> allowas-in <nb-of-—loops> 


To filter BGP routing updates to/from neighbors, as specified in an access list: 


CLI (config-router-group) > distribute-list <access-—list-—name> {in | out} 


To establish a BGP filter: 


CLI (config-router-group)> filter-list <access-list-name> {in | out} 


To disable next-hop processing on BGP updates to a neighbor: 


CLI (config-router-group) > next—-hop-self 


To apply a route map to incoming or outgoing routes: 


CLI (config-router-group) > route-map <map-name> {in | out} 


To configure the software to start storing received updates: 





CLI (config-router-group) > soft-reconfiguration inbound 
4.27.4.3, Neighbor Membership Configuration in a Peer Group 


Once you have created the peer group and some associated parameters, return to the router configuration 
mode, select a neighbor (‘neighbor <ip-addr>') and enter the peer group name, which the neighbor 
belongs to: 


CLI (config-router-neighbor)> peer-group <peer-group-name> 
4.27.4.4 Disabling a Peer or Peer Group 


To disable an existing BGP neighbor or a peer group, use the shutdown command, beginning in neighbor 
or peer group configuration mode: 


CLI (config-router-neighbor) > shutdown 


To re-enable the peer group or neighbor, use: 


CLI (config-router-neighbor)> no shutdown 
4.27.5 Load Sharing 


By default, BGP tries to select the best path for a route to a network by using several selection criteria. 
They are, in order of priority: 
1. Prefer the highest weight 
Prefer the highest local preference 
Prefer the shortest AS path 
Prefer routes whose origin is IGP over EGP. Prefer EGP over Incomplete origin 
Prefer the lowest MED 


oa fF wo LN 


Routes learnt via BGP are indicated via a next-hop. The metric of the routes to the different 
next hop are compared; the lowest metric is preferred. 


If at this stage of the path selection algorithm, some routes are considered equal, they can be all installed 
in the routing table, only if load sharing is enabled. To activate load sharing with BGP, the maximum 
number of equal routes must be entered, default: 1: 


CLI (config-router-group) > maximum-path <nb-of-routes> 


nb-of-routes designates the maximum number of equal routes that are allowed to be transmitted to the 
routing table. Load sharing is managed with BGP routes like static routes (see 4.5.2.5). 
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4.27.6 Backdoor Routes 


A backdoor route is a special network that the BGP router should use for routing, but the router should not 
advertise the route. A backdoor route is entered as follows: 


CLI (config-router)> network <network>/<len> backdoor 
4.27.7 Administrative Distance 


The administrative distance defines the preference for routes that are learnt via different routing protocols. 
To modify the distance values, use: 


CLI (config-router)> distance bgp <ebgp> <ibgp> <local> 


Where: 

<ebgp> is the administrative distance for routes learnt via EBGP. Default: 20. 

<ibgp> is the administrative distance for routes learnt via IBGP. Default: 200. 

<local> is the distance for routes advertised using the ‘network’ command. Default: 200. 


Use the following command to reset the default distance: 


CLI (config-router)> no distance bgp 
4.27.8 Route Redistribution 


Route redistribution is an alternative to the 'network' command to advertise networks using BGP. It 
consists in injecting connected, static or IGP routes into BGP database. The injected routes are advertised 
whenever BGP scans its database (periodical process). To advertise directly connected network routes via 
BGP, run the following command starting in router configuration mode: 


CLI (config-router)> redistribute connected [metric <metric>] [route-map 
<name>] 
To advertise static routes via BGP, run the command: 
CLI (config-router)> redistribute static [metric <metric>] [route-map 
<name>] 
To advertise routes learned through an external protocol via BGP, run the command: 
CLI (config-router)> redistribute { rip | ospf } [metric <metric>] 


[route-map <route-map-name>] 


The metric argument is the metric used to advertise the redistributed routes. The route-map-—name 
permits the filtering of certain routes. See 4.27.11.3.3 for details on route maps. 


4.27.9 Modification of BGP Routing 
4.27.9.1_ Disabling AS Path Comparison 


RFC 1771 (the IETF document defining BGP) recommends the use of the "tie-breaker" decision algorithm, 
which does not include AS-path as part of the decision process. By default, OneOS software considers the 
AS-path as a part of the decision algorithm. 


This command makes it possible to modify the decision algorithm, so that the router does not consider AS- 
path during the decision process, thus making the router compliant with the IETF recommendation. To 
prevent the router from considering the AS-path length when selecting a route, use the following 
command, beginning in router configuration mode: 


CLI (config-router)> bgp bestpath as-path ignore 


This command configures the router to ignore AS-path length when selecting a route. 
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4.27.9.2 Configuration of Default Local Preference 


The local preference is an attribute part of the BGP routing decision process. By default, the local 
preference is 100. To set a different default local preference, use the following command in router 
configuration mode: 


CLI (config-router)> bgp default local-preference <value> 
The lower the 'value' is, the lower the preference is. You can also use route maps to change the default 
local preference for specific paths, beginning in route map configuration mode: 


CLI (config-route-map) > set local-preference 
4.27.9.3 Disabled Default Next-Hop Processing 


Routers can receive routing updates, for which the next-hop router to be used is unknown. This happens 
when the network is not fully meshed (FR, ATM networks). The solution is to substitute the next-hop router 
address by a router that can be directly reached by the router (an adjacent router). There are two ways to 
manage this next-hop processing: 


e Provide a specific address to be used instead of the next-hop address (manually configuring each 
address). 


e Use a route map to specify that the address of the remote peer for matching inbound routes, or the 
local router for matching outbound routes (automatic method). 
4.27.9.4 Next-Hop Setting Using Self Address 
To disable next-hop processing and provide a specific address to be used instead of the next-hop address, 
use the neighbor next-hop-self command, beginning in neighbor or peer-group configuration mode: 
CLI (config-router-neighbor) > next—hop-self 
Disables next-hop processing on BGP updates to a neighbor. Using this command, the router is forced to 


advertise updates with its peering address instead of the router address specified in its database. In other 
words, routers receiving this route update use the current router as next hop for that received route. 


4.27.9.5 Next-Hop Setting Using a Route Map 


To configure the neighbor peering address to be used for the next hop address, use the 'set ip next-hop' 
command, beginning in route map configuration mode: 


CLI (config-route-map)> set ip next-hop <ip-address> 


Note: for further information about route maps, please refer to 4.27.11.3.3. 


With an inbound route map of a BGP peer, it sets the next hop of the matching routes to be the neighbor 
peering address, overriding any third-party next hops and allowing the same route map to be applied to 
multiple BGP peers to override third-party next hops. 


With an outbound route map of a BGP peer, it sets the next hop of the received address to the peering 
address of the local router, disabling the next hop calculation. 


The next hop must be an adjacent router. 
4.27.9.6 Multi Exit Discriminator Metric Configuration 
BGP uses the Multi Exit Discriminator (MED) metric as a criterion to external neighbors about preferred 


paths. Use the set metric command, beginning in route map configuration mode: 


CLI (config-route-map)> set metric <number> 


The command sets the metric to the specified number for matching routes. 
4.27.9.7 Configuring the Router to Consider a Missing MED as Worst Path 


To configure the router to consider a path with a missing MED attribute as the worst path, use the 'bgp 
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bestpath med missing-as-worst' command, beginning in router configuration mode: 
CLI (config-router)> bgp bestpath med missing-—as-—worst 
The command configures the router to consider a missing MED as having a value of infinity, making the 


path without a MED-value the least desirable path. The 'no' form of the command re-enables the default 
behavior, i.e. the MED is considered as 0 (best path). 


4.27.9.8 Path Selection Based on MEDs from Other AS 


The route selection process compares (among other criteria) the MED of all different paths from the same 
AS. If you wish to enable MED comparison of paths received from any AS, use the next command in router 
configuration mode: 


CLI (config-router)> bgp always-—compare-med 
4.27.9.9 MED-Based Routing in Confederations 


The concept of AS confederation is later described in this document in section 4.27.12.2. To configure the 
router to consider the MED value when choosing a path in confederations, use the 'bgp bestpath med 
confed' command, beginning in router configuration mode: 


CLI (config-router)> bgp bestpath med confed 
The command configures the router to consider the MED in choosing a path from among those advertised 
by different sub-ASs within a confederation. 


The comparison between MEDs is only made if there are no external ASs in the path (an external AS is an 
AS that is not within the confederation). If there is an external AS in the path, then the external MED is 
passed transparently through the confederation, and the comparison is not made. 


To configure the router to use the MED to select the best path among paths advertised by a single sub-AS 
within a confederation, use the 'bgp deterministic med' command, beginning in router configuration 
mode: 


CLI (config-router)> bgp deterministic med 
The command configures the router to compare the MED variable when choosing among routes 
advertised by different peers in the same autonomous system. 


If bgp always-compare-med is enabled, all paths are fully comparable, including those from other AS's 
in the confederation, even ifbgp deterministic med is also enabled. 


4.27.9.10 Administrative Weight 


A weight is a number from 0 to 65535 used as a criterion for the route selection process. The path with the 
highest weight is preferred. This attribute is local to the router. By default, any path originated by the router 
has a weight of 32768 (routes manually configured when entering 'neighbor <ip>'), while others have 
a weight worth 0. 


If you want to prefer certain routes learned from a neighbor, you can assign weights on a per-neighbor 
basis. The first command is the following beginning in neighbor configuration mode: 


CLI (config-router-neighbor)> weight <weight> 


Alternatively, you can selectively set the weight attribute for updates matching a route map, beginning in 
route-map configuration mode: 


CLI (config-route-map)> set weight <weight> 


If weight is configured for both route maps and neighbors, then the weight set in route map prevails over 
the weight defined in neighbor configuration mode. 


4.27.10 BGP Timer Configuration 


BGP does not broadcast message to exchange routing information, instead BGP uses a connection- 
oriented communication protocol, based on TCP. Keep alive messages are sent on a periodical basis 
(keep alive period, default 60 sec) to test neighbor presence. If the peer does not respond after "hold-time" 
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(default 180 sec), the peer is considered as unavailable. 


It should be noted that the hold time value is negotiated between BGP peers, by taking the smallest of 
both peer hold time values. To assign keep alive and hold time values globally to the router, use the 
following command in BGP router configuration mode: 


CLI (config-router)> timers bgp <keepalive> <hold-time> 
If you wish to adjust timers only for a specific neighbor/peer group, enter in neighbor/peer group 
configuration mode and type in: 


CLI (config-router-neighbor)> timers <keepalive> <holdtime> 


All values above are provided in seconds. 


The timers configured for a specific neighbor or peer group override the timers configured for all BGP 
neighbors using the 'timers bgp' command. 


To restore the default timer values for a BGP neighbor or a peer group, use the no form of the neighbor 
timers command. 


4.27.11 Routing Policies 
In BGP, routing policies are implemented by using filters to control the level of routing information that is 


exchanged by an autonomous system with its neighbors. Filtering is handled by: 


e Route identification based on criteria settings to differentiate routes from each other. Such criteria can 
be based on the route IP prefix, the autonomous system from which the route was originated, an AS 
path or an attribute value inside a route. 


e Permitting or denying routes depends on the filtering rules that have been setup for that juncture. A 
permitted route is accepted without change or can be submitted for attributes modification to change 
its behavior. A denied route is simply discarded. 


e =6 Attribute modification for a permitted route can be done if it is necessary to change the decision 
process. 


The route filtering process will use the list of all defined criteria and will stop the process when a route 
matches filtering criteria. The order in which the criteria in the list are defined becomes very important. 


BGP inbound or outbound advertisements filtering can be handled in two ways: 


e AS-path filters can be used, by means of the 'ip as-path access-list' command in global 
configuration mode and the neighbor 'filter-list' command 


e Use access or prefix lists, by means of the 'distribute-list' command in neighbor configuration 
mode. 


4.27.11.1 AS Path Filter Definition 


In addition to filtering routing updates based on network addresses, you can specify an access list filter on 
both incoming and outbound updates based on the BGP AS paths. Each filter is an access list based on 
regular expressions. 


Regular expressions (‘regexp’) are based on “POSIX 1003.2” and enable you to search and filter strings 
within AS paths. To achieve such filtering, the regular expression matches the input string against a 
pattern. The pattern is composed of a combination of: 


e Characters: they must be matched exactly in the string. 


e Symbols (called atoms or pieces): they are not matched themselves. They provide a parameter to 
regexp for string search. 


Atoms: 

e ”.” Matches any character 

e *A“The match must be done at the beginning of the string 
e ”$“ The match must be done at the end of the string 


e \“ Matches the character following '\' (useful to match characters normally used as atoms or pieces) 


Page 4.27-456 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


e ”_“ Matches a punctuation symbol (“,” “{“ “}”). When applied to AS path filtering, this means 
somewhere in the middle, the beginning or the end of the input string. ( ”_100_“ matches a string 
where AS 100 is included as a transit AS) 


Pieces: 


e ”*” Matches any following string, regardless of the preceding character (”‘100.*” means the route is 
originated by AS 100) 


e ”+” Matches string if there is at least one occurrence of the preceding character 


e 2” Matches if the preceding character is present in the string or no character is present at all. ("xy?z” 
matches *xyz” or ’xz” but not ”xaz”) 


To do such filters, define an AS path access list and apply it to updates to and from particular neighbors. 
4.27.11.2 Community List 


In the context of BGP a community is a group of destinations that share some common attributes. A 
community is not restricted to a network neither to an autonomous system. Communities are used to 
simplify routing policies by identifying routes based on a logical property instead of an IP prefix or an 
autonomous number. 


To manage communities BGP uses the COMMUNITIES attribute that can take a numeric value from 1 to 
4294967275 (or the same in AA:NN format). A few community values have pre-defined names; they are 
described below (pre-defined names are case sensitive): 


e internet: advertise this route to Internet community. Reminder: all routers belong to it 
e no-export: no route advertising to eBGP peers 
e no-advertise: no route advertising to any peer 


e local-ASs: no route advertising outside the local autonomous system 


Communities are a handy way to control how routing information is carried from peer to peer. To use 
communities you will need to define community lists using the following command: 


CLI (configure)> ip community-list <community-list-number> {permit | deny} 
{ <1-4294967275> | <lower-community-number>:<higher-community-number> 
| local-AS | internet | no-advertise | no-export } 


Where community-list-number is a number ranging from 1 to 99 that identifies one or more 
permit/deny groups of communities. 


4.27.11.3 Routing Policies Applied to Neighbors 
4.27.11.3.1 Route Filtering 


As we are dealing with network addresses this can be done by using distribute list filters based either on 
an access list or a prefix list and apply it to the updates received from a specific neighbor. 


To filter BGP routing updates, use the distribute-list command, beginning in neighbor configuration mode: 


CLI (config-router-neighbor) > distribute-list <access-list-name> {in | 
out } 


Filters BGP routing updates to/from neighbors as specified in an access list. 
For a peer-group, use the same command beginning in peer group configuration mode: 

CLI (config-router-group)> distribute-list <access-list-—name> {in | out} 
The neighbor prefix-list router configuration command can be used as an alternative to the neighbor 
distribute-list router configuration command, but you cannot use both commands to configure the same 


BGP peer in any specific direction. These two commands are mutually exclusive, and only one command 
(neighbor prefix-list or neighbor distribute-list) can be applied for each inbound or outbound direction. 


Prefix-list use is defined in 4.26.2.7.2 and access-lists us for route filtering in 4.26.2.7.1. 
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4.27.11.3.2 AS Path Filtering 


Filtering routes based on AS path information becomes very handy when filtering is needed for all routes 
for the same or multiple AS’s. Defining access lists based on patterns as described in the 'AS Path Filter 
Definition’ section instead of using a long list of routes defined on a prefix basis is much more efficient. 


Path filtering configuration is done by submitting the following commands starting in global configuration 
mode: 


Step 1 


CLI (configure)> ip as-path access-list <access-list-name> {permit | deny} 
<as-regular-expression> 





This command defines a BGP-related access list. 
Step 2 


CLI (configure) > router bgp <autonomous-system> 


This command enters router configuration mode. 
Step 3 


CLI (config-router)> neighbor <ip-address> 


This command enters neighbor configuration mode. 


CLI (config-router-neighbor)> filter-list <access-list-name> {in | out} 


This command establishes a BGP filter. This command is also available in peer-group configuration mode. 


4.27.11.3.3 Route Map 
With BGP, route maps are used to control and modify routing information. They can also be used to filter 
specific routes and to define criteria by which routes are distributed between domains. 
To define a route map use the following command: 


CLI (configure)> route-map <map-tag> {permit | deny} [<sequence-number>] 


Where 
map-tag Is a string identifying the route map. 


sequence-number is an integer indicating the relative position compared to other instances that define 
the route-map. 


When BGP applies a route-map instance to routing updates, it applies the lowest instance first. If the set of 
conditions is not met the next instance is used and so on until either a condition is met or there are no 
more conditions to apply. Conditions are expressed using the match command that is defined as follows: 


match as-path <path-access-—list-number> 








Or 
match community <community-list-name> [exact-match] 
Or 
match ip { address | next-hop } { <access-list-number> | prefix-list 
<prefix-list-name> } 
Or 


match metric <0-4294967295> 


Filtering updates as well as modifying attributes can be done on a per-neighbor basis by using route maps. 
AS path, network numbers and community matching can be used but in order to be effective, each 
requires a corresponding as-path access-list, access-list and community-list command. 
Route maps can be applied to both inbound (to accept route) or outbound updates. 


Once filtering criteria are defined, you may wish to modify routing attributes. 


The following command selects specific community to add or replace in routing updates or suppress the 
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community attribute. 
set community { { add | replace } <1-4294967275> 


| <lower-community-number>:<higher-communit y—-number> 
| local-AS | internet | no-advertise | no-export } | none} 
Use the following command to delete a community list: 


set comm-list <1..99> delete 


Use the following command to force the next hop IP address: 


set ip next-hop <ip-address> 


Use the following command to change the default local preference: 
set local-preference <0. .4294967295> 


To set or increment/decrement the route metric: 

set metric [{+|]-}]<metric> 
To filter updates using a pre-defined route map use the following command when in neighbor or in peer- 
group configuration mode: 


CLI (configure-router-neighbor) > route-map <route-map-name> {in | out} 
4.27.12 BGP Optimizations 


In this section, we described features, which help a network engineer in simplifying and enhancing device 
configuration and performance. 


4.27.12.1 Configuration of Aggregate Address 


Aggregate routes are supported to reduce the routing table size. If several routes are exchanged for nodes 
in the same address range, the set of addresses is aggregated if they are in the same sub-network 
(address and mask). The route to the network address is exchanged rather than each route to each node 
in order to reduce the number of exchanged routes. 


You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by 
using the conditional aggregation feature described below. An aggregate address will be added to the 
BGP table if there is at least one more specific entry in the BGP table. 


To allow the creation of address aggregates, use one or more of the following commands, beginning in 
router configuration mode. 


Use the following command to create an aggregate entry in the BGP routing table. The router will advertise 
the prefix, which summarizes a number of more specific routes. The path information is lost and is the 
same as if the route was originated from the router AS. 


CLI (config-router)> aggregate-address <network>/<len> 
Use the following command to avoid loosing the path information. The router will generate the autonomous 


system set path information and will advertise the prefix and the more specific routes and include as-set 
information in the path information of updates. 


CLI (config-router)> aggregate-address <network>/<len> as-set 
Use the following command to advertise summary addresses only. The router will advertise only the prefix, 


which summarizes a number of more specific routes and will suppress these more specific routes from 
updates. 


CLI (config-router)> aggregate-address <network>/<len> summary-only 
4.27.12.2 AS Confederation 


Routers in a carrier network can often be managed in a single AS. However, BGP requires that all of the 
IBGP speakers (routers inside an AS) be fully meshed. This mesh may cause scalability issues, extra 
complexity and unnecessarily large routing tables. 
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This problem can be circumvented using AS confederations. To reduce the mesh a large autonomous 
system (AS) is split in several sub-AS. All sub-AS are grouped into an AS confederation and the AS 
confederation is seen as a conventional AS by outside neighbor routers. 


Instead of a full mesh in AS confederation, routers inside the sub-AS are only connected with their EBGP 
neighbors and with all routers inside the sub-AS. The objective of reducing mesh complexity and routing 
table size is thus achieved. Even though routers inside an AS confederation use EBGP, routing information 
is exchanged as if they were IBGP neighbors, thus protecting routing attributes such as next-hop, MED 
and local preference. 


To configure a BGP confederation, you must specify a confederation identifier. External routers to the 
confederation interpret the group of autonomous systems as a single autonomous system with the 
confederation identifier representing the autonomous system number. 


To configure a BGP confederation identifier, use the 'bgp confederation identifier' command, 
beginning in router configuration mode: 


CLI (config-router)> bgp confederation identifier <autonomous-system> 


In order to handle neighbors from other autonomous systems (within the confederation) as EBGP peers 
(instead of IBGP neighbors), use the 'bgp confederation peers' command, beginning in router 
configuration mode: 


CLI (config-router)> bgp confederation peers <autonomous-system> 
[<autonomous-system>...] 
This command specifies the autonomous systems that belong to the confederation. 


4.27.12.3 Route Reflector Configuration 


Route reflectors are an alternative solution to the use of AS confederations. The objective remains 
identical, i.e. a reduction of the IBGP mesh. 


A reflector is a BGP router that redistributes between non-meshed routers, routes that should be learned 
via IBGP. 


The internal peers of the route reflector are divided into two groups: client peers and all the other routers in 
the autonomous system (non-client peers). A route reflector reflects routes between these two groups. 


The route reflector and its client peers form a cluster. The non-client peers must be fully meshed with each 
other, but the client peers need not be fully meshed. The clients in the cluster do not communicate with 
IBGP speakers outside their cluster. 


When the route reflector receives an advertised route, the route advertisement is as follows: 
e A route from an external BGP speaker is advertised to all clients and non-client peers. 
e A route from a non-client peer is advertised to all clients. 

e A route from a client is advertised to all clients and non-client peers. 


To configure a route reflector and its clients, use the following command, after selecting a neighbor 
("neighbor <ip-address>') or peer-group: 


CLI (config-router-neighbor)> route-reflector-client 


This command configures the local router as a BGP route reflector and the specified neighbor as a client. 
For failure resilience, several route reflectors can be declared to avoid the reflector being the most 
probable point of failure. If there are several route reflectors, they all have the same set of clients. To 
distinguish updates coming from several reflectors, a cluster-ID is used. You do not need to set this cluster 
ID when there is a single reflector. Otherwise, you must assign a cluster ID for that router as follows 
beginning in router configuration mode: 


CLI (config-router)> bgp cluster-id <0 - 32000> 
When using route reflectors, clients are only required to be connected to the reflector(s). Clients do not 
need to be meshed. If they are, clients can exchange routes using IBGP, which are later advertised by the 


reflector(s). To avoid this unnecessary behavior, you can disable client-to-client reflection using the 
following command: 


CLI (config-router)> no bgp client-to-client reflection 
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4.27.12.4 Route Flap Dampening 


When using dynamic routing protocols, it becomes possible to advertise routes availability and 
unavailability, which enhances the robustness of routing. However, this also opens the door to undesirable 
effects, i.e. flapping routing. Flapping routes are unstable routes, which become up and down at an 
unacceptable pace. Therefore, the BGP protocol advertises the presence and disappearance of a route 
with poor quality. It yields to: 


e Packet loss and unnecessary routing: packets are routed to that path and get either lost or re-routed 
to an available path if the route turns out unavailable during packet transit. 


e Unnecessary overhead in managing routes: the route ups and downs generate BGP add/withdraw 
messages, which require bandwidth. 


BGP flap dampening is an optional algorithm within BGP that evaluates the route quality (by accounting 
route up and downs) and discards poor quality routes. This makes sure that this route is not further 
propagated by BGP. 


The route quality is evaluated as follows: a router with the "flap dampening" feature enabled notices that a 
route is flapping. The route is recorded in "history state" by the router as having a default penalty of 1,000. 
Whenever the route flaps again, a new penalty is added cumulatively. If the penalty reaches a threshold 
("suppress limit"), the router stops advertising/redistributing this route. 


When not flapping during a "half life" period (15 minutes by default), the penalty decreases by half. The 
penalty evaluation process takes place every 5 sec. The route can be re-used when the penalty is under 
the "re-use limit". The maximum suppress limit is the maximum time during which a route can be 
suppressed (default = 4 times half life). 


4.27.12.4.1 Enabling Route Dampening 
To enable BGP route dampening, use the 'bgp dampening' command, beginning in router configuration 


mode: 


CLI (config-router)> bgp dampening 


To change the default values of various dampening factors, use the ‘bgp dampening’ command, 
beginning in router configuration mode: 





CLI (config-router)> bgp dampening [<half-life> [ <reuse> <suppress> <max- 
suppress>]] 


4.27.12.4.2 BGP Flap Dampening Statistics 
The following commands only apply to routes in the history state (i.e. flapping routes). Global flap statistics 


are given as follows: 


CLI> show ip bgp flap-statistics 


BGP flap statistics for paths matching the regexp: 
CLI> show ip bgp flap-statistics regexp <regexp> 


BGP flap statistics for paths matching the filter list: 
CLI> show ip bgp flap-statistics filter-list <list> 


BGP flap statistics for routes matching exactly a network: 


CLI> show ip bgp flap-statistics prefix <network>/<len> 


BGP flap statistics for routes matching a network and associated sub-networks: 


CLI> show ip bgp flap-statistics prefix <network>/<len> longer-prefixes 


Display all dampened routes: 


CLI> show ip bgp dampened-paths 
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You can reset BGP route dampening statistics and restore any suppressed routes by using the following 
command, beginning in global mode: 


CLI> clear ip bgp-dampening [<network>/<len>] 


4.27.13 BGP Statistics and Management 
4.27.13.1 Connection Resets 


When a new policy takes effect, it is possible that the stored information has been depleted, as the new 
policy does allow different attributes and routes. To re-synchronize BGP peers, it becomes necessary to 
refresh the BGP routers. To do so, a connection reset forces BGP to retrieve/send all routing updates and 
apply the new policy. 


One could use hard reset, but this method has the disadvantage of losing all information from neighbors, 
therefore, it is recommended to use a soft reset instead. Soft reset may be applied for inbound updates 
coming from a neighbor and subsequent route re-advertisements. Soft reset is also applicable to outbound 
updates. 


4.27.13.1.1 Dynamic Inbound Soft Reset 


The route refresh capability must be supported by both peers. A dynamic inbound soft reset makes a soft 
reset of the inbound routing table. The command is as follows: 


CLI> clear ip bgp {* | <as-number> | <ip-address> | external} soft in 
The <ip-address> argument specifies the connection to be reset. The <as-number> argument allows 
resetting connections for all the neighbors in a given autonomous system. Use the ™' keyword to specify 


that all connections be reset or the keyword external to specify only EBGP connections. The ‘external’ 
keyword designates all external BGP peers. 


For a peer-group, use instead: 





CLI> clear ip bgp-peer-group <peer-group-name> soft in 
4.27.13.1.2 Outbound Soft Reset 


Using the keyword 'soft' specifies that a soft reset be performed. To perform an outbound soft reset, use 
the 'clear ip bgp!' command, beginning in global mode: 


CLI> clear ip bgp {* | <as-number> | <ip-address> | external} soft out 


For a peer-group use instead: 





CLI> clear ip bgp-peer-group <peer-group-name> soft out 


The command arguments are the same as those for the Inbound Soft Reset. 
4.27.13.1.3 Soft Reset Configuration Using Stored Routing Policy Information 


If all of the BGP routers in the connection do not support the route refresh capability, use the soft reset 
method that generates a new set of inbound routing table updates from previously-stored information. To 
initiate storage of inbound routing table updates, you must first pre-configure the router using the neighbor 
soft-reconfiguration command. The 'clear ip bgp' command initiates the soft reset, which generates 
a new set of inbound routing table updates using the stored information. 


Keep in mind that the memory requirements for storing the inbound update information can become quite 
large. To configure BGP soft reset using stored routing policy information, use the following commands, 
beginning in neighbor configuration mode: 


CLI (config-router-neighbor) > soft-reconfiguration inbound 
This command resets the BGP session and initiates storage of inbound routing table updates from the 


specified neighbor. From now on, a copy of the BGP routing table for the specified neighbor is maintained 
on the router. 
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For a peer-group, use the same command beginning in peer group configuration mode (see peer group 
configuration): 


CLI (config-router-group) > soft-reconfiguration inbound 


All members of the peer group will inherit the characteristic configured with this command. 
4.27.13.1.4 EBGP Connection Reset after Link Failure 


Normally, when a link between external neighbors goes down, the BGP session will not be reset 
immediately. If you want the EBGP session to be reset as soon as an interface goes down, use the 'bgp 
fast-external-failover' command, beginning in router configuration mode: 


CLI (config-router)> bgp fast-external-failover 


Automatically resets EBGP sessions. 
4.27.13.2 Statistics 


The following command provides the routes matching the specified prefix: 


CLI> show ip bgp prefix <network>/<len> 


The following command displays all BGP routes that make use of CIDR routing: 

CLI> show ip bgp cidr-only 
The following command provides the routes permitted by the specified community. 'exact-match' 
means that the route must have this community attribute only (and no other communities). 

CLI> show ip bgp community <community-number> [exact-match] 
The following command provides the routes permitted by the specified community list. 'exact-match' 
means that the route must have exactly the same community list attribute only (and no other communities). 


CLI> show ip bgp community-list <community-list-name> [exact-match] 


The following command provides the route list matched by an access list: 


CLI> show ip bgp filter-list <access-list-name> 


The following command provides the route list matched by a regular expression: 


CLI> show ip bgp regexp <regexp> 


The following command provides the whole BGP routing table: 


CLI> show ip bgp 


The following command provides information related to neighbors (or to the specified neighbor): 


CLI> show ip bgp neighbors [<ip-address>] 


The following command provides details for BGP routes exchanged with neighbors: 


CLI> show ip bgp neighbors <ip-address> [received-routes | routes | 
advertised-routes | dampened-routes] 


The following command provides all BGP paths: 


CLI> show ip bgp paths 


The following command provides global, summarized information about BGP status. 


CLI> show ip bgp summary 
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4.28 


OPEN SHORTEST PATH FIRST PROTOCOL (OSPF) 


4.28.1 Introduction and Features 


4.28.1. 


Like RIP, OSPF is an Interior Gateway Protocol in that it was specified to permit route exchange in a 
private network, typically a corporate network. The main difference with RIP is that routers running OSPF 
do not exchange routes but inform the other OSPF routers about the state of their interfaces and each 
OSPF router builds a topological database based on the information received from the other OSPF 
routers. Information about interface states is called LSA (Link State Advertisements). Using this 
information processed by the Dijkstra algorithm, a router will be able to build a shortest path tree to all 
destinations in the topological database. Based on this database, the router builds its routing table. When 
two neighboring routers have built their database and both databases are synchronized, they are called 
adjacent routers. 


OSPF was built with a two-level hierarchical design, dividing the whole network into areas. Area Border 
Routers are routers which own interfaces to two or more areas (ABR). An area topology is not visible from 
routers, which are not part of this area. This reduces the amount of information to send and store, thus 
enabling increased scalability compared with RIP. Area 0 is the top-level area and any other area must be 
connected to area 0 via at least one border router (ABR). All areas form what is called an Autonomous 
System (AS). Border Routers that are connected with networks using other routing protocols (BGP, RIP) 
are called Autonomous System Border Router (ASBR). Below is a typical architecture of a network. 


OSPF Autonomous System 


'Hello' messages are sent by an OSPF router to signal its availability to other routers. In a reverse way, the 
non-reception of 'hello' results in considering the router as unavailable. The 'hello' message is also used to 
elect the Designated Router (DR). The DR generates the LSA for the entire area, thus reducing the 
number of information to exchange. Also, a Backup DR (BDR) can be elected. 





1 Advantages of OSPF 


e Changes in the network are propagated quickly. 
e OSPF is more scalable than RIP for private networks. 
e OSPF supports VLSM (Variable Length Subnet Mask), RIP does not. 


e = After router initialization, OSPF only sends updates when changes in the network occur. If there is no 
link state change, the OSPF protocol is almost silent (only few 'hello' messages = keep alive). 


e The hierarchical design of OSPF enables to reduce the size of routing tables. 


Page 4.28-464 of 484 


ONEOS 


4.28.1.2 


V4.2R5 USER GUIDE (EDITION 5) 


Disadvantages of OSPF 


OSPF is processor-intensive as each router computes its own SPF tree and requires a lot of memory 
because multiple copies of the same information are kept in every OSPF router. This complexity 
increases exponentially with the size of the areas. 


When a link "flaps" (i.e. it goes up and down every few seconds), the network is flooded by updates 
(LSA) to advertise the new state of the flapping link. This is the trade-off with the fast OSPF 
convergence that requires any change be quickly advertised to the many area routers. (Note: BGP 
embeds a flap-dampening feature that assesses link quality and avoids such unnecessary 
advertisement.) 


4.28.2 Features 


The implementation complies with RFC 2328 (OSPF v2), allows the router to behave as Designated 
Router (DR) or Backup DR (BDR) on multi-access networks and supports the following options: 


Optional encrypted authentication: when an OSPF router communicates with neighbors, it can 
authenticate its message using a pre-defined password (transported in clear text). To enhance 
security, a digital signature may be included in the packet transporting the password to guarantee a 
keyed message authentication. The MD5 standard is used to generate the signature. 


Virtual Links: the concept of virtual link enables two OSPF routers to traverse an area. There are two 
scenarios requiring virtual links: 


e When two networks are merged, at least the area 0 must be merged as one. The routers of 
area 0 may not be directly connected. A virtual link enables the connection of the two parts of 
area 0. 


e When an area cannot be directly connected to area 0, a border router of the remote area is 
connected to a border router of area 0 through transit OSPF areas. 


Stub area: external routes are normally injected in OSPF areas by the ASBR as LSA type 5. Some 
areas can be flagged as a stub, when external routes must not be injected in the area by the area. 
This is often the case when an area only has one single point of exit and a default route is sufficient. 
This avoids the useless advertisement of routes in and outside the area, because IP packets should 
anyway be routed through the exit border router. All routers inside a stub area must be configured with 
the 'stub area' option to allow adjacency of the routers. 


Not So Stubby Area (NSSA): stub areas are proven sometimes too restrictive. It is sometimes 
required to ignore advertisements from BGP but authorize those from RIP. In NSSA, OSPF routers 
filter out LSA of type 5 (in this example: those coming from BGP) but inject external routes as LSA 
type 7. 


Route summarization: this feature allows the aggregation of addresses, which is advertised in one 
route. This prevents the advertisement of multiple routes for the address aggregate. This feature 
should be activated in border routers to reduce the routing table sizes. 


RIP/BGP/Static/Default route redistribution: the routes learned by external mechanisms can be 
exported in OSPF advertisements. The cost equivalence is defined when activating such feature. 


4.28.3 OSPF Configuration 


For basic OSPF configuration, you only need to enable OSPF and declare the networks managed by this 
protocol (presented in the following section). Further parameters are all optional. 


4.28.3.1 


4.28.3.1.1 


Enabling OSPF 


On a Broadcast & Point-To-Point Network 


To enable OSPF process run the following command, starting in global configuration mode: 


CLI (configure)> router ospf 
CLI (config-router) > 


This brings the CLI in router configuration mode. 


To form adjacencies with other OSPF routers on a network, run the following command, starting in router 


Page 4.28-465 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


configuration mode: 


CLI (config-router)> network <network>/<length> area <area-id> 


Where <network> is a network IP address, <length> is the length in bits of the network mask and 
<area-idb> is either a decimal value or an IP address. 


This will enable the sending of periodic 'hello' messages on all the interfaces of the router connected to the 
specified network. It is important that <length> matches exactly the mask length of the interface IP 
address. For instance, it should be 32 for a point-to-point interface. For such interface, the network must 
match the next-hop address (not the local one). 


The purpose of the 'hello' message is to establish and maintain neighbor relationships. It ensures that 
communication between neighbors is bi-directional. On broadcast and Non-Broadcast Multi-Access 
(NBMA) networks, it is also responsible for the election of the designated router. 


Example: 


interface Ethernet 0/0 
ip address 10.1.2.48 255.255.255.0 
exit 

interface atm 0 

driver ident 0 

max vp 3 

max vc 8 

range vp min 0 max 5 
range vc min 32 max 64 
execute 

exit 

gshds1l 

execute 

exit 

exit 

interface atm 0.1 

Pvc pppoa vpi 1 vci 49 
ip address 53.0.0.4 
ipep static 
authentication pap 
username user9_0 
password oneaccess 
priority 7 

execute 

exit 


exit 

router ospf 

network 10.1.2.0/24 area 1 
network 53.0.0.4/32 area 1 
exit 


4.28.3.1.2 Non-Broadcast Networks 


For non-broadcast networks, you may specify neighbors. This is done using the neighbor command, in 
router configuration mode: 





CLI (config-router)> neighbor <neighbor-ip-address> 
The above method is not recommended as it offers a poor flexibility. Alternatively, you can configure the 
type of network under interface configuration mode as follows: 
CLI (config-if)> ip ospf network { point-to-point | broadcast | point-to- 
multipoint } 
For example: 


interface serial 0/0.21 
! Enter in a FR sub-interface 
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ip ospf network point-to-point 


4.28.3.2 Router Priority 


Networks are often hierarchical and it is recommended to elect as DR the router which stands at the head 
of the tree. You can set the OSPF priority to enable a router to become the default DR: 


CLI (config-if)> ip ospf priority <0-255> 


With a priority of 0, the router is not eligible. 255 is the highest priority, 1 the lowest. 


4.28.3.3 Router ID 


By default, the OSPF protocol takes the address of the first operational interface as OSPF router IP 
address. This might be inconvenient, as you are not able to predict the IP address of the OSPF router. 


To force the IP address of the OSPF router, use the following command, beginning in router configuration 
mode: 


CLI (config-router) > router-id <A.B.C.D> 


Note: the router ID is also important to elect the DR. When all routers have the same priority and no DR 
exists, the biggest router-ID gets elected as DR. 


4.28.3.4 Area Settings 


To enter in area configuration mode, please begin from the global configuration mode and enter: 
CLI (configure)> router ospf 
CLI (config-router)> area <area-id> 

Route Summarization 


To reduce routing table size, route summarization allows the aggregation of several routes into a reduced 
number of routes. This applies at the ABR to inter-area route exchange for routes that are within the area. 
You need to define the network and network mask to define how the routes are aggregated. The command 
is the following: 


CLI (config-area)> range <A.B.C.D>/<length> 


<A.B.C.D> is the network and <length> is the number of bits to match on the network. It is therefore 
recommended that inter-area route addresses are contiguous for efficient summarization. 


Stub Areas 


External routes injected in the OSPF AS are transmitted as LSA of type 5. When the ‘stub area’ option is 
activated, all LSA of type 5 are discarded thus preventing external routes to be propagated by OSPF. All 
routers of the area must be configured with this attribute to allow router adjacency. To activate the stub 
area option, enter the following from the global configuration mode: 


CLI (config-area)> [no] stub [no-summary] 
When the attribute 'no-summary' is provided, the area is configured as ‘totally stubby area’. In such area 


type, not only external routes are not injected in the AS, but also summarized routes coming from the other 
areas. Only intra-area LSA and default route (0.0.0.0) are exchanged. 


Not So Stubby Areas (NSSA) 


Stub areas are sometimes too restrictive. In NSSA, OSPF routers filter out LSA of type 5 but inject external 
routes as LSA type 7. By default, the ABR will translate received LSA of type 7 in LSA type 5 when 
sending them to another area. It is configured so, beginning in global configuration mode: 


CLI (config-area)> [no] nssa [dont-translate] [no-summary] 
The 'dont-translate' optional attribute indicates that an ABR does not translate LSA type 7 to type 5. 


The LSA are thus discarded. The 'dont-translate' optional attribute tells the ABR not to inject inter- 
area routes into the NSSA. 
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Virtual Links 


Virtual link enable two OSPF routers to traverse an area. A typical case is: when an area cannot be directly 
connected to area 0, a border router of the remote area is connected to a border router of area 0 through 
transit OSPF areas. 


CLI (config-area)> [no] virtual-link <A.B.C.D> 
Where <A.B.C.D> is the IP address of the remote ABR. It is presumed that the router knows a route to 
reach this IP address. 
Authentication 


OSPF messages can be authenticated via a MD5-hashed signature. You can activate this authentication 
for a given area. In area configuration mode, the command is the following for activation of MD5: 


CLI (config-area) > authentication message-digest 


If you want to disable MD5, please use: 





CLI (config-area)> no authentication 
4.28.3.5 Configuring Interface Parameters 
4.28.3.5.1_ Interface Passivation 


It can be useful to make an OSPF interface silent: it can receive OSPF LSA but cannot send any LSA. 
Making such interface silent is called interface passivation. To passivate an interface, use the following 
command beginning in global configuration mode 


CLI (configure)> router ospf 

CLI (config-router)> passive-interface { loopback <lb-id> | 

Ethernet <slot>/<port>[.<vlan-if>] | 
FastEthernet <slot>/<port>[.<vlan-if>] | 
Atm <intf>.<port> | 

Serial <slot>.<port> | 

Bri <slot>/<port>} 





4.28.3.5.2 Authentication 


Several commands exist in interface configuration mode that enables to modify some OSPF specific 
parameters for a given interface. 


To specify the authentication type for an interface, use the following command: 
CLI (config-if)> ip ospf authentication { message-digest | null } 
Authentication type configured for an interface overrides type that might be configured for the area to 


which it belongs. That is why 'null' authentication type is provided. If no type is specified, simple password 
authentication is used. 


Before using this command, configure a password with: 


CLI (config-if)> ip ospf authentication-key <password> 


<password> Is an alphanumeric password. 
If you rather want to use message digest authentication, use first: 


CLI (config-if)> ip ospf message-digest-key <keyid> md5 <key> 


Where <keyid> is an identifier in the range 1 to 255 and <key> is an alphanumeric password (maximum 
length: 16). 


To remove authentication type for an interface, use the no form of this command: 


CLI (config-if)> no ip ospf authentication 
4.28.3.5.3 Interface Cost 


Definitions: 
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e An interface cost reflects the throughput of a link. The lower the cost, the more the interface is 
preferred for routing. The cost is a specific OSPF term. 


e A metric defines the overall cost of a route. To reach a destination, the router must take into account 
not only the output interface, but the efficiency of the whole path. Therefore, the OSPF algorithm 
computes the metric based on the cost of all interfaces, which are traversed along this route. A metric 
is not a term specific to OSPF; this is the value installed in the routing table. 


The default value of the cost depends on the bandwidth of the interface; it is calculated with the following 
formula: 


Cost = Ref-Val in bps / bandwidth-in-bps 
Ref-Val is 108. This will give for instance a default cost of 1 for a FastEthernet (100Mbps) interface, 10 


for an Ethernet (10Mbps) interface or 50 for an ATM PVC (2Mbps). Therefore, the higher the cost, the less 
the interface is likely to be used. 


To specify the cost of sending a packet on an interface, use: 
CLI (config-if)> ip ospf cost <cost> 
<cost> is an unsigned integer value in the range 1 to 65535. This value will be taken by the link cost in 
the Router LSA (Link State Advertisement). To return to the default cost, use the no form of this command: 
CLI (config-if)> no ip ospf cost 
Instead of 108, you can set another reference value for cost computation. The command is the following, 
beginning in router configuration mode: 


CLI (config-router)> auto-cost reference-bandwidth <1-—-4294967> 


The reference value is provided in Mbps. (Using 100 sets the default value). 
4.28.3.5.4 Route Redistribution and Interworking with Other Routing Protocols 
4.28.3.5.4.1. Administrative Distance 


For the same destination, it might be possible that several routes exist in BGP, RIP or OSPF databases. 
The router installs the route in its routing table based on the ‘administrative distance’ value. The distance is 
a parameter that you can set for each routing protocols and that reflects the level of confidence in a routing 
protocol. For example, you may want to always select the BGP route if it exists. Since the lower the 
distance, the higher the confidence, BGP must have the lowest administrative distance. 


The OSPF administrative distance is set as follows, beginning in global configuration mode: 


CLI (configure)> router ospf 
CLI (config-router)> distance <1-255> 
4.28.3.5.4.2 Distribute List 
OSPF update filtering enables the router to select route prefixes that are advertised globally and/or per 
interfaces. The command is the following: 
CLI (config-router)> distribute-list <acl-name> out [ static | rip | bgp ] 


If the optional arguments are not provided, the filtering applies to all redistributed routing updates. The 
access lists are standard access lists. See access-lists used for route filtering in 4.26.2.7.1. 


4.28.3.5.4.3 Route Redistribution 


4.28.3.5.4.3.1 Introduction to External Route Metric Types 


When redistributing routes, you can choose whether the metric shall be of type E1 or E2. E2 means the 
route metric is equal to the cost of the external interface cost, independently from all interface costs in the 
OSPF domains. 


E1 metric means the metric is the sum of all interface costs in OSPF domain for that route + external 
interface cost. 
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4.28.3.5.4.3.2_ Default Route 


An ASBR router can send a default route (0.0.0.0) in the OSPF domain, when it has received it from 
another protocol (e.g. RIP). To do so, use the following command beginning in router configuration mode: 


CLI (config-router)> [no] default-information originate [always] 
If the Keyword ‘always’ is added, it implies the router sends a default route regardless of the fact that it has 
really a default route or not. 
You can associate a route metric for this default route (default metric: 20): 


CLI (config-router)> default-information originate metric <metric> 


The metric type is set as follows: 





CLI (config-router)> default-information originate metric-type {1 | 2} 


4.28.3.5.4.3.3 Injection of External Routes 
You can redistribute in OSPF dynamically learned or statically configured routes by means of the 
‘redistribute’ command. Use the following command in router configuration mode: 


CLI(config-router)> redistribute {bgp | rip | static | connected } 
[{[ metric <metric> ] metric-type { 1 | 2 } ] [route-map <route-map-id>] 


You can optionally use route maps to advertise only certain LSA. Route maps are a global mechanism for 
routing protocols that enables the filtering of undesired routes. As route-maps can be used for BGP, RIP 
and OSPF, some configuration commands for route maps are only relevant for certain protocols (mostly 
BGP), hence the fact that they are detailed in each section for every routing protocols. 


4.28.3.5.4.3.4 Route Maps 
To define a route map use the following command, beginning from the global configuration terminal: 


CLI (configure)> route-map <map-tag> [permit | deny] [<sequence-number>] 


Where 
<map-tag> is a string identifying the route map. 


<sequence-number> is an integer indicating the relative position compared to other instances that define 
the route-map. When OSPF applies a route-map instance to routing advertisements, it applies the lowest 
instance first. If the set of conditions is not met the next instance is used and so on until either a condition 
is met or there are no more conditions to apply. We generally use ‘10’ as <sequence-number> when 
creating the route map and use increments of ‘10’ for the following route map sequence, so that you can 
insert easily other route map instances between already configured instances. 


Conditions are expressed using the match command that is defined as follows: 


CLI (config-route-map)> match ip {address | next-hop} {<access-list-— 
number> | prefix-list <prefix-—list—name>] 





When using the address keyword, the match clause applies the access/prefix list to the advertised 
network. When using the next-hop keyword, the match clause applies the access/prefix list to the next- 
hop of the advertised network. Prefix-list use is defined in 4.26.2.7.2 and access-lists use for route filtering 
in 4.26.2.7.1. 


You can filter LSA using tags. An OSPF tag is a special field in LSA, encoded over 32 bits that can be 
used as a configuration facility to mark and to filter LSA: 


CLI (config-route-map) > match tag <0. .4294967295> 


To set a tag, use: 





CLI (config-route-map)> set tag <0..4294967295> 


You can modify the metric of matching advertisements: 
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CLI (config-route-map)> set metric <metric> 
This command sets the route metric. The command 'set metric [+]|-]<metric>' is only supported 
for BGP. 
To set the metric type: 


CLI (config-route-map) > set metric-type { type-1 | type-2 } 


4.28.3.5.4.3.5 Distribute List 


Let us imagine that you want a network using BGP to be aware of routes in an OSPF cloud and vice-versa. 
You need to mutually redistribute protocols from BGP to OSPF and OSPF to BGP. Under certain 
circumstances, you can create routing loops. To avoid such undesirable effects, the solution is to filter out 
OSPF routes injected in other routing domain. 


On an ASBR, you can filter routes that are redistributed into an external routing domain (such as RIP). The 
command is the following (in router configuration mode): 


CLI (config-router)> distribute-list <acl-name> out {bgp | rip | ospf | 
static | connected } 


<acl-name> is the name of the standard access list filtering the route. 


4.28.3.6 OSPF Tuning 
4.28.3.6.1. Timers 


The following parameters can be defined for an interface or virtual link. For an interface, please enter in 
interface configuration mode. For virtual link, enter in area configuration mode and substitute 'ip ospf' 
by 'virtual-link <A.B.C.D>'. 


To specify the number of seconds before the router will declare its neighbors down, without getting ‘hello’ 
packets, use the following command: 


CLI (config-if)> ip ospf dead-interval <seconds> 


The <seconds> parameter is a positive integer representing the interval. 


This value is advertised in ‘hello’ packets sent out on this interface. It must be the same for all routers 
connected to the same network. The default value is four times <hello-interval>. 


To return to the default value of this interval, use the no form of this command: 

CLI (config-if)> no ip ospf dead-interval 
To specify the time between ‘hello’ packets that the router sends on this interface, use the following 
command: 


CLI (config-if)> ip ospf hello-interval <seconds> 


The <seconds> parameter is a positive integer representing the interval. 


This value is advertised in ‘hello’ packets sent out on this interface. It must be the same for all routers 
connected to the same network. The default is 10 seconds. To return to the default value of this interval, 
use the no form of this command: 


CLI (config-if)> no ip ospf hello-interval 
To specify the delay length before retranslating a link state advertisement for which no acknowledgement 
has been received, use the following command: 

CLI (config-if)> ip ospf retransmit-—interval <seconds> 
Where <seconds> is a positive integer, which must be greater than the estimated round-trip delay 


between two neighbors on the network. The default is 5 seconds. To return to the default value of this 
interval, use the no form of this command: 


CLI (config-if)> no ip ospf retransmit—interval 
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On low speed interfaces, it might take a long time to transmit a LSA; therefore adjacency between routers 
is not achieved properly and that routers are synchronized with a too long time offset. By default, it is 
assumed that it takes 1 sec to transmit the LSA. But on low speed interfaces, the OSPF router needs to 
"anticipate" coping with the slow speed of the link. The command is the following: 


CLI (config-if)> transmit-delay <time-in-s> 
4.28.3.6.2 Override MTU Check 


By default, OSPF routers dialog with each other if they have exactly the same MTU. However, it may be 
possible that the MTU is not equal for both routers. For example, an OSPF router A is connected to an 
Ethernet switch using conventional Ethernet. Router A must dialog with router B, connected on the same 
switch, but using VLAN. The VLAN header reduces MTU. If you want to disable MTU comparison, use the 
following command in interface configuration mode: 


CLI (config-if)> [no] ip ospf mtu-ignore 
4.28.3.6.3 OSPF Behavior Tuning 


You normally do not need to tune such parameters. 


By default, the OneOS implementation complies with RFC 2328. You may have to connect OneOS-based 
routers with older equipment using an implementation based on RFC 1583. To do so, begin in global 
configuration mode and enter: 


CLI (configure)> router ospf 
CLI (config-router)> [no] compatible rfc1583 


It is also possible that the OneOS-based ABR router must inter-operate with equipment having some old, 
non-RFC compliant features. In OSPF router configuration mode, it is configured as follows: 


CLI (config-router)> abr-type { cisco | ibm | standard } 


By default, 'standard' is selected, which means the behavior complies with RFC 2328. 
4.28.3.6.4 Overflow Management of External Routes 


OSPF is an Interior Gateway Protocol, that is to say, it is designed to manage routing in private networks. 
When external routes are advertised in the OSPF AS from an External Gateway Protocol (like BGP), it 
becomes possible thousands of routes be injected in OSPF. As OSPF is very processor- and memory- 
consuming, this can result in poor router performance. To avoid such situation, you can protect the router 
by limiting the number of processed external routes, using the ‘overflow’ command beginning in router 
configuration mode: 





CLI (config-router) > overflow external <nb-external-routes> <silent-time> 


<silent-time> is the time in seconds, ranging from 0 to 65535, during which the router ignores any 
updates for injected external routes. To restore default values, use: 


CLI (config-router)> no overflow external 


Default values are: 
e 3000 external routes (8000 external routes for the ONE400): 


e 1800 seconds silent time (80 minutes) 


4.28.4 Statistics 


Several 'show' routines are available to display OSPF statistics. General statistics are provided with: 


CLI> show ip ospf 


For information about ABR, use: 


CLI> show ip ospf border-routers 
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As the OSPF database contains a fairly high number of information, you can view a part of the OSPF 
database using the following command and options 


CLI> show ip ospf database [ asbr-summary | 
external | 
network | 
router | 
summary | 
max-age | 
self-originate ] 

For information about an OSPF interface, use: 


CLI> show ip ospf interface [ <interface-type> <unit> ] 


For information about neighboring OSPF routers, use: 


CLI> show ip ospf neighbor [ all | <A.B.C.D> | detail ] 


For information about an OSPF routes, use: 


CLI> show ip ospf route 
4.28.5 Debugging OSPF 


To solve configuration issues, you might have to activate trace functions. It is based on the 'debug 
<...>' command and is deactivated using the 'no' form of the command ('no debug <...>'). 


To debug ABR-related issue, use the following command: 

CLI> debug ospf abr 
To debug events in the interface state machine (ISM, i.e. the transitions between the OSPF interface 
states), use the following command: 

CLI> debug ospf ism 
To debug events in the neighbor state machine (NSM, i.e. the transitions between the OSPF neighbor 
states), use the following command: 

CLI> debug ospf nsm 
To debug interface state machine (ISM, i.e. the transitions between the OSPF interface states), use the 
following command: 


CLI> debug ospf ism 


To debug general OSPF protocol state transitions, use the following command: 


CLI> debug ospf events 


To debug exchange of external routes with OSPF, use the following command: 


CLI> debug ospf external 


To debug and decode all OSPF protocol packets, use the following command: 


CLI> debug ospf packet 


To monitor LSA, use the following command: 


CLI> debug ospf lsa [{ generate | install | flooding | refresh }] 


To debug NSSA - related information, use the following command: 





CLI> debug ospf nssa 
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4.29 


MULTICAST ROUTING 


4.29.1 Principles of Multicast Routing 


4.29.1. 


1 Why Multicast 


The IP protocol defines three types of IP packets: unicast, broadcast and multicast. Unicast packets are 
destined from a source to a destination host. Unicast is intended for host-to-host communication. 
Broadcast packets are emitted by a single host and destined to all hosts of the same network. The 
broadcast mode is thus intended to send information to multiple hosts, which may have interest in 
receiving these information pieces. However, the broadcast mode cannot scale in large networks as it 
means waste of bandwidth (because all listening hosts do not have interest in receiving that packet) and 
possible networking issues such as broadcast storm in case of a routing loop. That is the reason why a 
third type of IP packet was introduced: multicast packet. 


“Multicast” is an IP packet type designed to send data to a group of selected hosts. In other words, 
multicast is intended for point-to-multipoint communication. Example of applications for multicast: 


e Routing protocols (RIP, OSPF), where routing information are exchanged between routers via 
multicast packets. 


e Voice and video broadcasting: multiple end-users register to a server in order to receive a multimedia 
stream. 


IP packets are multicast packets when their IP address belongs to the range 224.0.0.0 to 
239.255.255.255. Actually, the range of IP addresses was partitioned by the IANA into sub-categories. 
224.0.0.0 to 224.0.0.255 is reserved for routing protocols. Only the range 224.0.1.0 to 238.255.255.255 is 
allocated to user address space. A multicast address thus corresponds to a multicast application running 
between a multicast source and receiving hosts. 


On an Ethernet network, a multicast packet is transported in a special MAC frame. Therefore, a multicast 
sender only has to forward a single MAC frame when sending multicast flows to multiple destinations on 
the LAN. The last three bytes of the multicast IP address are copied into the MAC destination address as 
follows: if the multicast IP address is ???.X.Y.Z, the Mac frame is 01:00:5E:X:Y:Z. Therefore, the first 5 bits 
of the multicast IP is not mapped, which can seldom yield to conflicts, which can be avoided with good 
network design practices. 


4.29.1.2_ Components of a Multicast Network 


Let us look at an example to make things clearer. At one hand, a video streaming server is running and is 
connected to a multicast network. On the other hand side, some computers connected to a same multicast 
router would like to receive the video stream. The computers join and leave the multicast group to start and 
stop receiving the video stream while the server continues to broadcast video. 


The computers requests that the multicast flow be sent to them using the IGMP protocol. The IGMP 
protocol enables them to announce that they are willing to join and leave a multicast group. The multicast 
router receiving the join request will in turn try to find the multicast source. To find that source, a multicast 
routing protocol is needed to inform multicast routers that the multicast flow must be forwarded to the 
requiring router. The role of the multicast routing protocol is to build a multicast distribution tree. Building a 
distribution tree tells where multicast packets must be replicated so that the first single multicast packet is 
forwarded to all destinations. The multicast routing topology can be optimized to privilege the shortest path 
from source to destination or the overall bandwidth required in the backbone. 


A distribution tree can be either a source tree or a shared tree. A source tree forms a tree, which has the 
shortest path (Shortest Path Tree: SPT) from the source to all destinations. A shared tree is a tree that is 
not optimal in terms of distance from the source to destination but rather tries to share segments of the 
tree between multiple destinations. Shared trees enable to replicate less multicast packets. As the shared 
trees are less complex (because they have less segments), multicast routers have less neighbor status 
information to maintain, which requires less resources than a source tree model. 
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Note: it is possible to traverse networks not supporting multicast routing. To do so, a common solution is 
that the multicast routing protocol is encapsulated in a GRE tunnel. 


4.29.2 Protocol Independent Multicast 
4.29.2.1_ Introduction 


The PIM-SM (Protocol Independent Multicast Sparse-Mode) is a protocol for routing multicast packets to 
multicast groups. OneOS supports PIM-SM version 2. It is designed to create distribution tree along the 
reverse path from the receivers towards the sources. PIM is called “independent” because it uses unicast 
routing table (populated by other routing protocols such as static, connected, RIP, OSPF ... routes) to build 
the distribution tree. The unicast routing table is also the routing information base used to perform Reverse 
Path Forwarding (RPF) check: RPF check consists of verifying that a received packet was received from 
the expected interface that matches the route in the unicast routing table. With unicast packets, RPF helps 
in preventing IP spoofing. With PIM-SM routing, the RPF check is intended to determine upstream 
neighbors form which multicast traffic would take from the source. A router forwards multicast packets only 
if it is received on the upstream interface. 


PIM neighbor discovery is performed using Hello messages sent periodically to on all PIM interfaces. 


PIM-SM uses Shared Tree as multicast distribution tree. The Shared Tree model needs one or more 
Rendezvous Point (RP) placed in the PIM-SM domain, and known by the others PIM-SM routers. The 
multicast traffic generated from a source is sent to the RP, and then it is forwarded down the shared tree to 
the receivers. A multicast source and receivers can communicate together if their attached routers know 
how to reach a common RPP router or different RP routers (reachable with each other). 


Rendezvous Point can be configured statically or dynamically using Bootstrap (BSR) messages. 


When a receiver joins a multicast group, it sends an IGMP report message. The multicast router directly 
connected to the receiver, elected as a DR (Designated Router), sends a PIM Join message to the RP for 
that multicast group. The Join message is forwarded to the RP and that creates hop-by-hop a distribution 
tree. 


When a source starts sending multicast traffic for that multicast group, the multicast router directly 
connected to the source and elected as DR encapsulates the packets as unicast packets and sends them 
to the RP with a Register message. The RP de-encapsulates the packets and forwards the data down 
through the shared tree to reach the receiver(s) listening to that group. 


In the shared tree model, the multicast data flows down through the RP. But a receiver could reach a 
source with a shortest path other than the route via the RP. Indeed the route via the RP may involve an 
important detour. To optimize use of the bandwidth on the RP path or to reduce latencies, the receiver’s 
local DR router may initiate the shortest path tree (SPT) transfer or not, by sending a Join message directly 
to the source. After the sender’s local DR has received the Join message, multicast traffic starts flowing 
down through the SPT. At this point, data are forwarded to the receiver using two paths, the shared path 
tree and the shortest path tree. When the receiver's local router establishes it has received two copies of 
the packets, it drops packets form the RP and sends a Prune message towards the RP. The prune 
message tells the RP to stop forwarding the multicast data. 
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4.29.2.2_ PIM-SM Configuration Steps 


Required steps: 


Enable Multicast Routing 


Enable PIM Sparse Mode on interfaces 


Configure Rendezvous Point (RP): 
e Either: Configure router as static RP 


e Or (and) Configure router as Candidate RP 


Configure router as Candidate BSR (optional) 
Optional steps: 

e Configure TTL Threshold on interfaces 

e Configure SPT switching threshold 

e Configure Register source address 


e Configure static multicast routes 
4.29.2.3 PIM-SM configuration commands 
4.29.2.3.1 Enabling Multicast Routing 


Multicast routing enables the router to forward multicast flows. To enable IP multicast forwarding on the 
router, use the following commands beginning in global configuration mode: 


CLI (configure)> ip multicast-routing 


To disable Multicast Routing, use the following commands beginning in global configuration mode: 





CLI (configure)> no ip multicast-routing 
4.29.2.3.2 Enabling PIM Sparse Mode 


To enable PIM Sparse Mode on a router interface, first select the interface and use the following 
commands beginning in global configuration mode: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip pim sparse-mode 


To disable PIM Sparse Mode, use the following commands beginning in global configuration mode: 





CLI (config-if)> no ip pim sparse-mode 
By default, PIM-SM is not activated. 
4.29.2.3.3 Configuring Static RP 


To configure a static RP on the router, use the following commands beginning in global configuration 
mode: 


CLI (configure)> ip pim rp-address <ip-address> [group-list <access-list-— 


name> ] [override] 


By default, a static RP has the lowest priority. If the ‘override’ keyword is entered, the static RP is always 
preferred over dynamically learnt RP. To remove a static RP, use the following commands beginning in 
global configuration mode: 


CLI (configure)> no ip pim rp-address <ip-address> 
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4.29.2.3.4 Configuring Candidate RP 


To configure the router to advertise itself as Candidate RP, use the following commands beginning in 
global configuration mode: 


CLI (configure)> ip pim rp-candidate <type> <unit> [group-list <access-— 
list-name> [priority <0-255>] 


The interface <type> <unit> is the IP address that is advertised as candidate RP IP address. The 
group-list specifies the multicast group prefixes advertised by this router. The router with the lowest 
(priority) number has the highest priority. The default priority is 0. To remove the router as Candidate RP, 
use the following commands beginning in global configuration mode: 


CLI (configure)> no ip pim rp-candidate 
4.29.2.3.5 Configuring Candidate BSR 


The BSR is elected according to a priority number. The BSR advertises which RP is in charge of building 
the multicast distribution tree for a particular multicast group. In order to select the group prefixes per RP, 
the RFC 2362 (PIM-SM) defines a hash function requiring a hash mask length. By default, the mask is 30 
bits long. To configure the router as Candidate BSR, use the following commands beginning in global 
configuration mode: 


CLI (configure)> ip pim bsr-candidate <type> <unit> [hash-mask-len <mask-— 
len>] [priority <0-255>] 


The interface <type> <unit> is the IP address that is advertised as candidate BSR IP address. The 
highest priority is preferred. (Default value= 0). To remove the router as Candidate BSR, use the following 
commands beginning in global configuration mode: 


CLI (configure)> no ip pim bsr-candidate 
4.29.2.3.6 Configuring TTL Threshold on interfaces 


The TTL threshold value controls if a multicast packet can be forwarded on the interface. Packets are 
forwarded, only if the TTL value is greater than the TTL configured on the interface. The TTL is 
decremented every time a multicast packet is forwarded. 


To configure a TTL threshold on an interface, use the following commands beginning in global 
configuration mode: 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip multicast ttl-threshold <tt1l-value> 





To restore the default TTL threshold on an interface, use the following commands beginning in global 
configuration mode: 


CLI (config-if)> no ip multicast ttl-threshold 


By default, TTL threshold value is 1. 
4.29.2.3.7 Configuring SPT switching threshold 


The SPT switching threshold enables the router to automatically switch form the shared path tree to the 
shortest path tree after multicast traffic rate is greater than the rate configured. 


To configure the Source Tree switching threshold, use the following commands beginning in global 
configuration mode: 


CLI (configure)> ip pim spt-threshold <rate-in-kbps> 


To restore the default Source Tree switching threshold, use the following commands beginning in global 
configuration mode: 


CLI (configure)> no ip pim spt-threshold 


By default, the SPT switching threshold is 8 kbps. 
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4.29.2.3.8 Configuring Register source address 


To configure a source address for sending the register message, use the following commands beginning in 
global configuration mode: 


CLI (configure)> ip pim register-source <source-address> 


To restore the default source address for register message, use the following commands beginning in 
global configuration mode: 


CLI (configure)> no ip pim register-source 
4.29.2.3.9 Configuring IP Multicast Static Route 


To configure an IP multicast static route, use the following commands beginning in global configuration 
mode: 


CLI (configure)> ip mroute <source-address> <mask> [{<rpf-address> | 
<type> <unit>}] 


To remove an IP multicast static route, use the following commands beginning in global configuration 
mode: 


CLI (configure)> no ip mroute <source-address> <mask> [{<rpf-address> | 
<type> <unit>}] 


4.29.2.3.10 Configuring IP Multicast Route Limit 


To limit the number of multicast states that can be added to a multicast routing table use the following 
command in global configuration mode. To disable this configuration, use the no form of this command. 


CLI (configure)> [no] ip multicast route-limit <limit> [threshold] 


limit is the number of multicast routes that can be added. The range is from 1 to 2147483647, the latter 
being the default value. 


threshold is the number of multicast routes that cause a warning message to occur. The threshold value 
must not exceed the limit value. 


4.29.2.3.11 Configuring IP Multicast Scope Group 


To configure an administratively scoped boundary, use the following command in interface configuration 
mode. To remove the boundary, use the no form of this command. 


CLI (configure)> [no] ip multicast boundary <access-list> [ in | out ] 


access-list is the number or name identifying an access list that controls the range of group addresses 
affected by the boundary. The access list must be a standard access list when no direction is given 
(neither in nor out). It can be a standard or extended access list when applied to one direction (in or 
out) or to both directions (two commands with in and out). 


4.29.2.4 Configuration Example 


In the following example, router C is the RP for all possible group addresses, because no restricting 
access-list is associated with this router. The receiver in network 192.168.2.0/24 joins any group G, by 
means of an IGMP report message received by router A. Consequently, Router A sends PIM join 
messages for group G to the RP, building a branch of the RP tree for group G. As soon as Source on 
network 20.1.1.0 begins to send data packets destined to group G, router B sends these packets 
encapsulated in register messages to the RP, which forwards them down the RP tree towards the 
Receiver. AS no command spt-threshold is configured on router A, the default data threshold is 
8 kbps. If the data throughput exceeds this value, router A joins directly router B for building the SP tree 
towards the source (because it is the shortest path): at this time, data will flow directly from router B to 
router A, which causes router A to send PIM prune messages to RP to stop the data flow coming down the 
RP tree. In addition, router B will continue to send the data packets in register messages to the RP, which 
will respond by register-stop messages to router B because the RP has no more receivers down the RP 
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Router A configuration: 


ip multicast-—routing 
interface fastethernet 0/0 
ip address 192.168.2.1 
ip pim sparse-mode 
exit 
interface fastethernet 0/1 
ip address 194.1.1.1 
ip pim sparse-mode 
exit 
interface atm 0 
driver ident 0 
max vp 8 
max vc 8 
range vp min 0 max 10 
execute 
exit 
gshdsl 
linerate adaptive 384 2304 
mode 2_wire 
execute 
exit 
exit 
interface atm 0.1 
pvc pppoa vpi 8 vci 35 
ip address 168.112.112.1 
ipep static 
authentication no 
execute 
exit 
ip pim sparse-mode 
exit 
ip route 20.1.1.0 255.255.255.0 atm 0.1 
ip route 190.1.1.0 255.255.255.0 194.1.1.8 
ip pim rp-address 190.1.1.8 


Router B configuration: 
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ip multicast-routing 
interface fastethernet 0/0 
ip address 20.1.1.2 
ip pim sparse-mode 
exit 
interface fastethernet 0/1 
ip address 190.1.1.2 
ip pim sparse-mode 
exit 
interface atm 0 
driver ident 0 
max vp 8 
max vc 8 
range vp min 0 max 10 
execute 
exit 
gshdsl 
equipment CO 
linerate adaptive 384 2304 
mode 2_wire 
execute 
exit 
exit 
interface atm 0.1 
Pvc pppoa vpi 8 vci 35 
ip address 168.112.112.2 
ipep static 
authentication no 
execute 
exit 
ip pim sparse-mode 
exit 
ip route 192.168.2.0 255.255.255.0 atm 0.1 
ip pim rp-address 190.1.1.8 


Router C configuration: 


ip multicast-routing 
interface fastethernet 0/0 
ip address 190.1.1.8 

ip pim sparse-mode 

ixit 

interface fastethernet 0/1 
ip address 194.1.1.8 

ip pim sparse-mode 
exit 
ip route 20.1.1.0 255.255.255.0 190.1.1.2 
ip pim rp-address 190.1.1.8 


4.29.2.5 Statistics 


To display statistics about multicast routing: 


CLI> show ip multicast statistics 


To display information about multicast route cache: 


CLI> show ip multicast cache 


To display information about PIM interface: 


CLI> show ip pim interface 


To display information about PIM neighbors: 





CLI> show ip pim neighbors 


To display information about PIM route: 


Page 4.29-480 of 484 


ONEOS V4.2R5 USER GUIDE (EDITION 5) 


CLI> show ip pim route 


To display list of PIM Rendezvous Point (RP): 


CLI> show ip pim rp 


To display RP mapping information about a multicast group: 


CLI> show ip pim rp-hash <group-address> 


To display statistics about PIM: 


CLI> show ip pim statistics 
4.29.2.6 Debug and Trace 


To enable all PIM debugging, use the following command: 


CLI> [no] debug ip pim 


To enable PIM Assert packets debugging, use the following command: 


CLI> [no] debug ip pim assert 


To enable PIM bootstrap packets debugging, use the following command: 


CLI> [no] debug ip pim bootstrap 


To enable PIM RP selection debugging, use the following command: 


CLI> [no] debug ip pim cand-rp 


To enable PIM packet detail debugging, use the following command: 


CLI> [no] debug ip pim detail 


To enable PIM group specific debugging, use the following command: 


CLI> [no] debug ip pim group 


To enable PIM hello packets debugging, use the following command: 


CLI> [no] debug ip pim hello 


To enable PIM join/prune packets debugging, use the following command: 


CLI> [no] debug ip pim join 


To enable PIM register packets debugging, use the following command: 


CLI> [no] debug ip pim register 


To enable PIM route states debugging, use the following command: 


CLI> [no] debug ip pim route 


To enable PIM reverse path forwarding debugging, use the following command: 


CLI> [no] debug ip pim rpf 
To disable PIM reverse path forwarding debugging, use the 'no' form of the above command. 
4.29.3 |IGMP 
4.29.3.1 Features 


Internet Group Management Protocol (IGMP) is a protocol used by IPv4 systems to report IP multicast 
memberships to neighboring multicast routers. 


IGMP protocol is based on two kinds of messages: queries and reports. While routers send queries to 
inform clients about their presence, clients answer and send report messages to tell which multicast group 
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they want to be added to. 


Further to the first released IGMP version, IGMP version 2 introduces a new kind of packet defined as 
“leave” message, sent once an IGMPv2 application is closed. IGMPv3 adds support for source filtering, 
which enables a multicast receiver host to signal to a router which groups it wants to receive multicast 
traffic from, and from which source(s) this traffic is expected. Two main modes are supported in IGMPv3 
messages: INCLUDE mode and EXCLUDE mode. While the former announces membership to a host 
group and provides a list of IP addresses (the INCLUDE list) from which it wants to receive traffic, the latter 
announces membership to a host group and provides a list of IP addresses (the EXCLUDE list) from which 
it does not want to receive traffic. The fact that multicast source can be selected is often referred to as 
Source Specific Multicast (SSM). 


4.29.3.2_ IGMP Configuration 
4.29.3.2.1| Enabling IGMP 


Once PIM is enabled on an interface, IGMP is enabled too on the same interface. By default, IGMPv2 is 
supported. However, it is possible to force another IGMP version. 


CLI (config-if)> ip igmp version <1-2-3> 
If IGMPv3 is configured, then IGMPv3 reports are supported. To restore the default configuration, use the 
following command line: 


CLI (config-if)> ip igmp version 2 
4.29.3.2.2 Configuring IGMP Timers 


Each IGMP query is periodically sent to the defined subnet. Query interval is the interval in seconds 
between each query. Use the following command line in interface configuration line: 


CLI (config-if)> ip igmp query-interval <1-18000> 
i. come back to default configuration with a query interval set to 125 seconds, use the following command 
ine: 

CLI (config-if)> ip igmp query-interval 
Each IGMP query waits for a potential report, in response to the query, until a maximum response time 


authorized. To configure this maximum response time, use the following command line in interface 
configuration line: 


CLI (config-if)> ip igmp query-max-response-time <1-25> 
To come back to default configuration with a query max response time set to 10 seconds, use the following 
command line: 


CLI (config-if)> ip igmp query-max-—response-time 
4.29.3.2.3 Configuring IGMP Access Policies 


It is possible to filter incoming reports upon group address, and even source address when IGMPv3 
records are received. If a standard access-list is chosen, only a group of multicast addresses records are 
read and permitted. An extended access-list permits the configuration of a specific source address and 
multicast address. To configure an access-list, use the following configuration in interface command line: 


CLI (config-if)> ip igmp acces-group <name> 


To come back to default configuration no filtering applied to incoming IGMP reports, use the default 
command in interface configuration mode: 


CLI (config-if)> no ip igmp access-—group 


4.29.3.2.4 Configuring IGMP Static Group 


The following command in interface configuration mode configures the router to be a statically connected 
member of the specified group on the interface. To remove the router as a member of the group, use the 
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no form of this command. 
By default, a router is not a statically connected member of an IP multicast group. 


CLI(config-if)> [no] ip igmp static-group <group-address> [source 
<source-address>] 


<group-address> is the IP multicast group address of a group to which the router belongs. 


<source-address> is the IP address of a system within the group from where multicast data packets 
originate. 


4.29.4IGMP Statistics 


To display information of IGMP configuration, use the following command line in configuration command: 


CLI> show igmp interface 
4.29.5I1GMP Debugging 


To display IGMP debug information, use the following command line: 


CLI> debug ip igmp 
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4.30 


OPEN SOURCE SOFTWARE 


The OneAccess Operating System (OneOS) includes source code covered by the GNU General Public 
License (GPL) terms and conditions. As a result the OneOS distribution terms allow distribution in source 
code form of the software library named hereafter: 


e Zebra routing software, Copyright (C) 2000 Kunihiro Ishiguro. 


e 4.4BSD software, Copyright (C) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The 
Regents of the University of California. All rights reserved. 


The GPL files can be obtained by connecting to the following URL: http://www.oneaccess- 
net.com/en/fsoft/fsoft.html. OneAccess is committed to provide the sources on request for 3 years after 
time of purchase of the product. 
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